Domain Name Security Extensions (DNSSEC) is a great way to add an extra security layer to your domains. It is an advanced DNS feature, which attaches digital signature (DS) records to the DNS information. So, that way, it can establish the authenticity of the source domain name.
The purpose of which it is designed is to protect Internet users from falsified DNS data. An example of such a case can be a misleading or malicious address rather than the actual address you wanted to visit.
Once you enable DNSSEC, the DNS lookups will have to use a digital signature to prove that the origin of the site’s DNS is accurate. It is very helpful for preventing some types of attacks. In case the digital signature does not match, the browsers will not open the site.
What is the way DNSSEC works?
The main goal of DNSSEC is to protect Internet users from forged DNS data through validating digital signatures inserted in the data.
Whenever a user wants to enter a domain name in a browser, the resolver verifies the digital signature.
The digital signatures in the data and those that are in the master DNS server have to match. Only then is the data allowed to access the user computer, which is making the request.
These digital signatures are making sure that the user is communicating with the website that he intended to visit.
DNSSEC implements a system of public keys and digital signatures to validate the information. To alongside existing DNS records, it adds new records. These new type records are DNSKEY and RRSIG, which can be retrieved such as the more common records, like A, CNAME, and MX.
They are implemented to digitally “sign” a domain with a method named public-key cryptography.
Nameserver, which is signed, has a private and public key for every zone. Every time a user makes a request, it sends data signed with its private key. Then the recipient unlocks it with the public key. If someone attempts to send misleading information, it won’t be able to unlock appropriately with the public key, so the recipient will identify that the data is false.
What does it protect against?
The fundamental protection that DNSSEC can provide is to limit third parties from falsifying records. It also guarantees the integrity of the domain by restricting:
False zones: DNSSEC can be beneficial for protecting versus malicious DNS attacks that make unfair use of the DNS system and give imitation results for zones. They may not even exist actually, and attackers benefit from gaps between zones. DNSSEC provides mechanisms to avoid gap usage and secures the whole zone. That is also called the authenticated denial of existence.
DNS Cache Poisoning: This is a form of man-in-the-middle attack. Criminals flood a DNS resolver with fake DNS data. In some cases, these attacks can increase to a large number and set a false end result inside the cache of the DNS resolver. As a result, the DNS resolver gives this malicious and false web address to every user that is requesting that specific website. This continues until the TTL (Time-to-Live) expires.