DNS was designed over 30 years ago, when security was not the primary goal of the Internet. Without additional protection, it is possible for MITM attackers to spoof records and direct users to phishing sites. DNSSEC eliminates this, and it is easy to activate.
DNS itself is not secure
The DNS system does not include any built-in methods to verify that the response to the request has not been tampered with or that any other part of the process has been intercepted by an attacker.
This is a problem because every time a user wants to connect to your website, they have to do a DNS lookup to translate your domain name into a usable IP address. If the user logs in from an insecure location, such as a coffee shop, it is possible for malicious attackers to intercept and spoof DNS records. This attack could allow them to redirect users to a malicious page by modifying the IP A address record.
Fortunately, there is a solution: DNSSEC, also known as DNS Security Extensions, fixes these problems. It secures DNS lookups by signing your DNS records using public keys. With DNSSEC enabled, if a user receives a malicious response, their browser can detect it. Attackers don’t have the private key used to sign valid records and can no longer masquerade as fakes.
Signing the keys by DNSSEC goes up the whole chain. When you log in to example.com, your browser connects first to the DNS root zone, which is managed by IANA, then to the extension directory (.com, for example), and then to your domain’s name server .
When you connect to the DNS root zone, your browser will check the IANA managed root zone signing to verify that it is correct, then the .com directory signing key (signed by the root zone), then your site Signing key, which is signed by the .com directory and cannot be tampered with.
It should be noted that in the near future this will no longer be a problem. DNS is being moved to HTTPS, which will protect it from all kinds of MITM attacks, render DNSSEC useless, and also prevent ISPs from spying on your browsing history, which is why Comcast is pushing against it . As it stands, this is an optional feature in Chrome and Firefox (OS support is coming to Windows soon), so you’ll want to enable DNSSEC in the meantime.
How to Activate DNSSEC
If you are running a website, especially a site that handles user data, you will need to enable DNSSEC to prevent any DNS attack vectors. There’s nothing wrong with that, as long as your DNS provider doesn’t just offer it as a “premium” feature, like GoDaddy does. In this case, we recommend switching to a suitable DNS provider like Google DNS, which won’t make you pay for basic security. You can read our user guide here, or learn more about transferring your domain.
If you’re using Google Domains, setup is basically a single button, found in the domain console under “DNS” in the sidebar. Check “Enable DNSSEC”. It will take a few hours to complete and sign all the required keys. Google Domains also fully supports DNS over HTTPS, so users who have it enabled will be completely secure.
If you’re using AWS Route 53, it unfortunately doesn’t support DNSSEC. This is an essential drawback of Elastic DNS features that made it great in the first place: features like alias records, DNS-level load balancing, health checks, and route-based routing.
Latency Because Route 53 cannot reasonably sign these records each time they change, DNSSEC is not possible. However, if you are using your own nameservers or another DNS provider, it is still possible to enable DNSSEC for domains registered using Route 53 but those using Route 53 as the DNS service. not domain.
Posts
No comments:
Post a Comment