Introduction to DNSSEC
Simply said, DNSSEC prevents spoofing of the false information within the domain names infrastructure of the internet, thus it prevents connection of your web browser with fake website which has another real IP. Using the methods of phishing, such website could lure you to give out your personal, login or other sensitive data (for example if it pretends to be the website of your bank). DNSSEC provides additional level of security thanks to which the web browser can verify whether the answer to his DNS query is authentic, i.e. whether it has not been altered by a hacker somewhere along the way. Visibility of this verification in all of the most popular browsers can be either added by the user or it is already directly supported by them.
What is DNSSEC?
DNSSEC is an abbreviation for the Domain Name System (DNS) Security Extensions, which is a set of specifications enabling to secure information provided by the DNS infrastructure in the IP networks (i.e. mainly on internet) against spoofing and against intentional manipulation. Through electronic signature, the DNS client (resolver) can verify origin of the data, their integrity or validity of the non-existence of the DNS record. Please note that DNSSEC does neither provides encryption of the communication (i.e. its confidentiality) nor guarantees their availability, those are provided by other tools.
More about DNSSEC
How does DNS work?
DNS infrastructure (abbreviated from Domain Name System) provides translation of the domain names into IP addresses and vice versa.
If we want to display some website, we simply enter its address in the standard format (i.e. in the URL format, Uniform Resource Locator, e.g. www.bank.sk) into the address line of the browser and the website is loaded. Thus, we do not need to remember the IP address localizing this website, as the IP address is the real address in the internet network and domain name is only its “humanization”. This process is called Domain Name Resolution and it is provided by the so-called name servers (also called DN or DNS servers). IP address looks for example as follows – „188.8.131.52“ – of course, it is rather more difficult to remember that compared to e.g. „carrotland.sk“ in the domain name format.
After entering web address into the address line of the browser, our device connects to the name servers in order to ask them for the corresponding IP address of the device, from which the given website should be downloaded. These name servers are globally coordinated by the central infrastructure, which is administered by the US organization ICANN – Internet Corporation for Assigned Names and Numbers. User’s device subsequently uses this IP address in order for the browser to display the required website.
What is the technology behind DNSSEC?
DNSSEC (Domain Name System Security Extensions) is the set of technical specifications for the Domain Name System (DNS) which provide the DNS client with verification proving that the data received from the DNS server are authentic.
DNSSEC is using asymmetric encryption – one key for encryption and another one for decryption. Similar principle is being used for encryption and electronic signing of emails (OpenPGP, S/MIME). Holder of the domain that uses DNSSEC generates pair of keys – one private key and one public key (or its registrar provides these keys). Technical details of the domain are subsequently electronically signed by the private key. Public key, stored with the superior authority of the domain, is then used for verification of the authenticity of the technical data through verification of the validity of this signature via the entire hierarchy of the superior signatures all the way to the root one.
After launch of DNSSEC, the technical data of the top level domain .SK will be signed and registry manager SK-NIC, a.s. will hand over the public key to this signature to its own superior authority – to the worldwide manager of the root servers of DNS. This will create hierarchy which will ensure credibility of the data as long as it is not breached at any point, i.e. unless there are errors or misconfigurations, and thus providing that all electronic signatures are in order.
Security Bottlenecks of DNS
Infrastructure of DNS (abbreviation from Domain Name System) provides translation of the domain names into IP addresses and vice versa, but by design it does not have any protection against spoofing of the false data within this communication. For example, if the address “www.sk-nic.sk” is entered into a browser, it can be modified within system communication to a false IP address, while the address line of the browser still displays “www.sk-nic.sk”, hence user will not normally notice, that the browser has displayed a false website in reality. Standard protection via HTTPs won’t necessarily be sufficient in this case, because the HTTPs certificate might not be issued by a trustworthy authority and the DNS communication also runs across a different layer of communication. On the contrary, DNSSEC is trustworthy in such a case, since DNSSEC has its own verification of authenticity, the DNS manager is controlled in various ways and it is not created arbitrarily as is the case with the commercial certification authorities.
In time of creation of the DNS system at the beginning of 80-ties, there was no special attention paid to the security mechanisms of this protocol. Computers of that time were significantly less powerful, asymmetric cryptography (using pair of public and private keys) was still just a new concept and global computer network was significantly smaller with relatively lower number of interconnected people and institutions who mutually knew each other. Over the past 30 years, the use of internet increased dramatically and the DNS protocol became vulnerable, which required creation and use of additional security mechanisms.
There are several major security risks of the DNS system:
- DNS hijacking: computer is opening the website using the IP address provided upon the query to the DNS server. In the case of DNS hijacking, the attacker changes the DNS settings of the computer in such a way, that whenever the computer sends DNS query for IP address translation, instead of the authentic DNS of the internet provider the computer is connected to the false DNS server controlled by the attacker. Such an attack usually occurs if there is an a malicious code infection within the computer, e.g. DNS altering trojan. The malicious code changes the DNS settings and replaces address of the authentic DNS server by the address of the malicious server after it infects the computer. As a result, the affected computer would not receive the correct IP address of the requested webpage, but the malicious IP address which is directing the user’s traffic to the website of the attacker and the web browser thus displays a malicious website.
- DNS Cache Poisoning: By DNS cache poisoning we call a situation when instead of the authentic record, malicious data are stored in the cache memory of a computer. For example, if we enter website “sk-nic.sk” for the first time, our computer will send the DNS query to the corresponding DNS server and its answer is stored in DNS cache memory together with the time stamp specifying how long this record is valid. If during this time period we again enter “sk-nic.sk”, our computer will not be asking the DNS server, but will retrieve IP address from the DNS cache memory. In the case of cache poisoning, DNS attackers are using malicious tricks in order to force the computer to save false DNS records containing IP addresses of malicious websites controlled by the attackers. It’s obvious what can happen once these are used.
- Electronic mail: When email messages are being sent from one server to another, the email servers are sending DNS query along in order to receive IP addresses of the email servers corresponding to the email addresses of the recipients. In this case, the attackers can utilize their malicious methods to force email servers to redirect all or selected electronic mail to the servers of the attacker, whereas attackers can subsequently obviously read all the (sensitive) data contained in the email.
However, this list of security risks is not exhausting, there exists other threats as well. DNSSEC helps to secure against these as well as other forms of attack.