Published: February 11, 2020
The Domain Name System (DNS) is essentially the phone book of the Internet. It is what makes sites like antonmcclure.com, google.com, facebook.com, oracle.com, linkedin.com, medium.com, and the many other sites and web applications we use on a day-to-day basis resolve to their domain names. As more and more people use the Internet, more and more malicious people and groups will try and take advantage of this system.
Since the beginning, DNS used UDP packets rather than establishing TCP connections. While this comes with an increase in speed, it makes it easier for addresses to be spoofed. If the address is spoofed, the site you go to might not actually be the site you were looking for. If you wanted to do online banking, purchase a product, make investments, or anything online, youd want to make sure that youre in the right place.
The DNS system, designed in the 1980s, has no way to verify the response except by checking IP addresses, which is not a reliable method since these addresses can easily be spoofed.
An attacker can fake the authoritative servers and spoof the response for certain domains without the user even realizing it.
These attackers can also poison DNS cache on legitimate recursive resolvers by sending a forged DNS response. When a user tries accessing the site with a fake response cached, the domain will resolve to the fraudulent address.
DNS Security Extensions (DNSSEC), in comparison to DNS, is the unspoofable Caller ID of the Internet, designed to add well-needed security to this system. It guarantees that web application traffic gets routed to the correct servers.
Some of the security benefits it provides include:
DNSSEC ensures that answers are digitally signed, and lets resolvers check if the information is identical to the info provided by the authoritative DNS server. For many internet users, protecting IP addresses and records is a concern. DNSSEC helps by providing that well-needed security for DNS.
DNSSEC is complicated, but that doesn't need to make it impossible for your domains to be secure. Feel free to get started protecting your domain with DNSSEC. Free solutions exist for popular DNS software such as bind9, or you can use a professional solution such as Cloudflare DNSSEC which I recommend and personally use for DNS. The setup process was very simple, and the benefits greatly outweighed letting users spoof responses or attempting to self-host the authoritative DNS server opening my server and other's servers to various attacks.
If you haven't done so already, learn more about DNSSEC, and know that you're helping make the Internet a safer place for everyone.