The third part of this series is regarding DNSSEC. Every time the browser requests a website, it goes via a DNS. Since DNS is mostly an outsourced component, we hardly ever worry about its scalability and security. On evaluating a clients website for modern and reliable internet standards for DNS security, the first error had the following information:-
Too bad! Your domain is not signed with a valid signature (DNSSEC). Therefore visitors with enabled domain signature validation, are not protected against manipulated translation from your domain into rogue internet addresses.
What is DNNSEC?
The Domain Name System Security Extensions (DNSSEC) is a critical technology to secure the Domain Name System (DNS). DNSSEC provides a layer of authentication and integrity checking to the DNS, ensuring that the information transmitted is trustworthy and has not been tampered with.
To enable DNNSEC, the domain registrar or the hosting provider should do that.
Vulnerabilities due to a domain not being signed with a valid signature?
While DNSSEC has been available for many years, it is surprising that many known websites still need this signature from the DNS provider. These include major cloud providers like https://www.amazon.com, https://www.microsoft.com, and DNS providers like https://www.godaddy.com.
As per https://internet.nl/faqs/dnssec/, some real-world incidents that DNSSEC could have prevented include
- "Cache-poisoning attack snares top Brazilian bank"
- "Eircom reveals ‘cache poisoning’ attack by hacker led to outages"
- "DNS cache poisonings foist malware attacks on Brazilians"
- "Probable Cache Poisoning of Mail Handling Domains"
- "Neither Snow Nor Rain Nor MITM... An Empirical Analysis of Email Delivery Security
One of the primary issues with not implementing DNSSEC is DNS cache poisoning. It occurs when an attacker can manipulate the DNS lookup process and direct users to a fraudulent website that looks identical to the legitimate site. It is achieved by intercepting DNS queries and responding with fake records modified to redirect the user elsewhere. DNSSEC prevents this attack by providing a mechanism to verify the authenticity of DNS records.
Another issue is DNS spoofing, which is similar to DNS cache poisoning but occurs when an attacker can inject false DNS records into the cache of a DNS resolver. It can allow the attacker to redirect traffic to malicious servers and intercept user communication. DNSSEC mitigates this by adding a layer of validation to the DNS records returned to the resolver.
Furthermore, DNSSEC can prevent man-in-the-middle (MITM) attacks by ensuring that the DNS records are authentic and have not been tampered with during transit. MITM, explained in Part-2 of this series, is when an attacker intercepts communication between the client and the server and alters the data. DNSSEC can prevent this by adding digital signatures to the DNS records.
Conclusion
Why several websites do not implement this feature may range from lack of awareness, cost factor, and risk of breakage to a complex setup. But, the adoption of DNSSEC seems essential for ensuring the security and integrity of the DNS.