DNSSEC (Domain Name System Security Extensions) is a set of extensions for the original DNS specification. They add security features to a service that is one of the cornerstones of the Internet, making it harder to execute attacks that may harm users, whether individuals or companies.
But before we can explain what DNSSEC is, we need to understand what DNS is, its importance, and the reasons to be concerned about its security.
What Is DNS?
When you open a browser and type in a website address, a lot happens behind the scenes. All computers connected to the Internet communicate using the Internet Protocol (IP), where each machine has an identifier known as an “IP address”.
A computer always uses an IP address in order to establish a connection with another. In the case of version 4 of the IP protocol (IPv4), this address is represented by a numerical sequence of up to 12 digits, such as 192.168.1.102.
In version 6 (IPv6) of the protocol, the address is a hexadecimal sequence of up to 32 characters, like fe80::1c4a:8111:b690:bf18. This makes it possible to have a much larger number of addresses, which is necessary given the ever-increasing number of devices connected to the Internet.
And here lies the problem: we humans are not very good at memorizing numerical sequences. Phone numbers are a good example of this: many people would have a hard time remembering the numbers of the five people they most often talk to. Now just imagine memorizing your entire contact list, or the IP addresses of your favorite websites!
To solve this, the phone book was invented. These printed directories contained the name and phone number of all the phone company’s subscribers in a city or region, in alphabetical order by last name, making it easy to search.
To find out the phone number for “John Doe,” you just open the book on the “D” page and search for “Doe, John.” Phone books have fallen out of favor these days, but the contact list on your smartphone plays a similar role.
DNS Is a “Phone Book” for the Internet
The Domain Name System (DNS) is a hierarchical structure that works like a “phone book” for the Internet. DNS servers keep records with the IP addresses of computers connected to the network, associated with an easier-to-remember domain name, and convert between the two forms.
When you type the domain name www.google.com into a browser, your computer queries your internet service provider’s DNS server, which sends a response telling that the corresponding IP addresses are, for example, 126.96.36.199 (IPv4) or 2800:3f0:4001:811::200 (IPv6). Now the browser knows with whom it should establish a connection to request the website’s content.
Image: Azion Technologies.
In addition to being more convenient for humans, this system has other practical advantages: a change in a server’s IP address is invisible to users: the domain name remains the same, and the DNS servers only need to be updated with the new address.
Likewise, multiple IP addresses can answer for the same domain, with the DNS server indicating the most suitable one for the user considering factors such as geographic distance or response time, in what is known as Intelligent DNS1.
Can We Trust the Responses from a DNS Server?
When a DNS server has no record corresponding to a domain, it queries other DNS servers recurrently until an answer is obtained. This response is then cached to speed up future queries.
And therein lies a crucial flaw in the DNS system: by design, server responses are not validated. An attacker can “fool” a DNS server, posing as another legitimate server at a higher level in the hierarchy, and deliver a response with false data about a domain, such as an IP address under their control.
Image: Azion Technologies.
With this, all user traffic from the fooled server to that domain will be redirected to the address controlled by the aggressor. And from there, they can deliver malicious content or steal data. This type of attack is known as “DNS Spoofing”.
DNS Spoofing, a Real Threat
In 2018, users of more than 70 models of routers from popular brands in Brazil were victims of a malware called GhostDNS, which modified router settings so that they would use a malicious DNS server.
When accessing the websites of large banks, users were redirected to IP addresses under the control of criminals, with fake websites where their access credentials were stolen.
At the time, a Netlab2 survey determined that nearly 100,000 routers in Brazil were infected, redirecting traffic from the 50 most popular sites in the country, including banks and large e-commerce portals.
The Solution: DNSSEC
DNSSEC (officially Domain Name System Security Extensions) is a set of extensions on top of the original DNS specifications. It provides a mechanism for authenticating responses from compatible DNS servers, which are signed with a cryptographic key.
By comparing signatures, it is possible to authenticate a response, making it difficult to manipulate or spoof information, and to carry out attacks such as DNS Spoofing. An important point is that DNSSEC was designed to maintain compatibility with legacy DNS servers, that do not support its extensions.
It is worth mentioning that DNSSEC does not implement data encryption: data continues to flow in clear text. An analogy is a document with a notarized signature: the signature alone guarantees the authenticity of the document, but does nothing to protect its content.
As well as being a threat to home users, DNS Spoofing can also endanger corporate infrastructure. A compromised server could redirect an application’s traffic, allowing it to be intercepted or modified by malefactors before it reaches its destination. Risks range from leaking user information, which violates legislation such as the General Data Protection Regulation (GDPR) in the EU, to threats to business continuity.
By enabling DNSSEC in your infrastructure’s DNS resolution process, you protect against threats such as DNS Spoofing, raising the level of security offered to your users and your organization.
Azion’s Edge Computing Platform offers DNSSEC for free with our Intelligent DNS service, adding an extra layer of protection for the end users of our customers’ websites and applications. For more details on how to enable this feature, see our documentation or reach out to one of our experts.
2 Roteadores infectados desviam tráfego de clientes do Itaú, Bradesco, BB e outros bancos