One of the cornerstones of the Internet is the Domain Name System, also known by its acronym DNS. The purpose of this protocol is to translate the domain names used by users into IP addresses that can be interpreted by machines.
This protocol dates back to the 1980s, a time when functionality prevailed over security, and DNS was no exception. DNS servers work with distributed databases in which they store records with domain information and their IPs. The existing security deficiencies in this protocol make it susceptible to falsification of these records, with the consequent risks of redirection to malicious sites and impersonation, among others.
To solve these problems, what are known as Domain Name System Security Extensions( DNSSEC) were designed.
What is DNSSEC and how does DNSSEC work?
The new protocol features are based on asymmetric cryptography, also known as public key cryptography. DNSSEC uses the public key method based on two different keys, a public key, which, as its name suggests, is in the public domain, and a private key, which should only be known by its owner. By using the keys and the signatures generated from them, it is possible to know whether a message has been modified or not, thus guaranteeing the integrity and authenticity of the message.
When a user performs a search for a DNSSEC-enabled domain, the information needed to resolve the search, i.e. the IP address of the domain being searched, is sent in the process. But it also sends several key signatures associated with the different DNS servers that have been queried.
If when checking these signatures do not match each other, the query cannot be validated as legitimate as the chain of trust has been broken and therefore it is not safe to access the website. Conversely, if the signatures match each other, the user will be able to access the website as the process has been authenticated and the chain of trust has not been broken.
What are the benefits of using DNSSEC?
The use of DNSSEC provides an extra layer of authenticity on data sent via DNS without security extensions, preventing spoofing attacks, such as those that redirect the victim to malicious sites like phishing. It also increases protection against traffic observation and interception attacks, since the chain of custody provided by DNSSEC prevents this.
DNSSEC is not a feature that most users can enable as it depends on the ISP or Internet Service Provider that has been contracted.
The following image shows a representation of a cybercriminal attacking a DNSSEC-enabled website.
- The attacker accesses the vulnerable DNS server and modifies the IP address associated with the web server to a fraudulent one under his control.
- The user searches in his web browser for the domain tienda.es.
- The user’s local DNS server asks the root DNS server where it can find the DNS server for .es domains.
- The root DNS server responds with the IP address of the DNS server of the .es domains and with the signatures of the root server and the next DNS server to be queried.
- The local DNS server queries the .es DNS server for the store.es domain.
- The .es DNS server returns the IP address of the DNS server of tienda.es and with the signatures of the .es server and the next DNS server to be queried.
- The local DNS server asks the store DNS server for the IP address of your web server.
- The tienda.es DNS server returns the fraudulent IP address of the web server and signatures associated with the tienda.es domain.
- The local DNS server provides the IP address of the web server to the user’s computer.
- The user’s computer verifies that the chain of trust provided by DNSSEC has been broken as the signatures of the tienda.es DNS server do not match the signatures provided by the .es DNS server and therefore does not access the tienda.es website.
In the following scenario an attacker intercepts traffic to redirect the user to a fraudulent website.
- The user searches in his web browser for the domain tienda.es.
- Your local DNS server returns the IP address of the legitimate web server and the signatures of the various DNS servers queried in the process to the attacker who is intercepting the traffic.
- The attacker modifies the IP address to that of a web server under his control.
- The attacker returns the fraudulent IP address and DNSSEC signatures to the user.
- The user’s computer checks that the chain of trust provided by DNSSEC has been broken as the signatures do not match what they should be and does not access the tienda.es website.
In both cases the chain of trust provided by DNSSEC is broken because the signatures used to authenticate it do not match what they should be, so the user will not access the fraudulent website.
INCIBE-CERT has prepared a complete DNSSEC implementation and best practices guide. In it you can obtain more information about the technical aspects of these security improvements on the DNS protocol.
How do I know if my website has DNSSEC?
To find out if your web page has DNSSEC there are several tools on the Internet that allow it, such as:
Checking a domain with DNSSEC, we obtain the following result:
On the other hand, if we check against a domain without DNSSEC, the result is:
If after checking the use of DNSSEC in your domain you see that it does not have this security enhancement, it is advisable to contact your ISP to ask them to implement it. If you do not get an affirmative answer, it is advisable to look for another provider that does, in this way we will increase the security in the company and especially for our customers, in addition to improving our digital reputation.
DNSSEC is a security enhancement that every website should have as it increases the integrity and authenticity of a protocol that is of vital importance on the Internet. Do not wait any longer and ask your ISP to implement DNSSEC, if they have not already done so.