Secure DNS with DNSSEC

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Nowadays DNS have some weaknesses:

  • DNS cache poisoning

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to attacker's computer (or any other computer).

  • Man-in-the-middle attack

In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

  • Domain hijacking

Domain hijacking is the act of changing the registration of a domain name without the permission of its original registrant, it can be done in several ways, generally by exploiting a vulnerability in the domain name registrar's system, through social engineering, or gaining unauthorized access to the domain owner's email account that is associated with the domain name registration.

DNSSEC add four new record types

  • DNSKEY - The DNSKEY record type holds the public key that is used in the DNSSEC authentication process.
  • RRSIG - Resource Record Signature, digital signatures for a record set are stored in RRSIG records.
  • NSEC - NSEC records are designed to prove that no records exist between two different points.
  • DS - Delegation Signer record, DNS key validation application.

DNSSEC protects against forged DNS answers. DNSSEC protected zones are digitally signed to ensure the DNS records received are identical to the DNS records published by the zone owner.

DNSSEC Validation Process

                 +------------+
                 |   DNS RR   |--------------------------------+
                 +------------+                                |
                        |                                      v
                        | Hash                          +------------+
                        v                               |   DNS RR   |
                 +------------+                         +------------+
       Server    |    Hash    |------------------------>|   RRSIG    |
                 +------------+                         +------------+
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -|- - - - - - -
                                                               v
       Client    +------------+          Hash           +------------+
                 |   Hash A   |<------------------------|  DNS Data  |
                 +------------+                         +------------+
                        |                               |   RRSIG    |
                        |                               +------------+
                        |                                      |
                        v                                      v
                 +------------+      +------------+     +------------+
                 |  Validate  |<-----|   Hash B   |<----|  DNS Key   |
                 +------------+      +------------+     +------------+

I have configuration DNSSEC on my domain registrar and CND service provider. Use SHA256 digest and 13 algorithm. After configuration test DNSSEC with dig command.

$ dig @8.8.8.8 +dnssec xuri.me

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 +dnssec xuri.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -<<HEADER>>- opcode: QUERY, status: NOERROR, id: 16132
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;xuri.me.           IN  A

;; ANSWER SECTION:
xuri.me.        299 IN  A   104.28.14.58
xuri.me.        299 IN  A   104.28.15.58
xuri.me.        299 IN  RRSIG   A 13 2 300 20160912074210 20160910054210 35273 xuri.me. /FTGXpH//f9YFPvDmxc7hG790Gth9Lv6BByICHotCJFx744RwFs2DQ1J FlKuN1BTshNKqWdnTa1R9ClOD21d7Q==

;; Query time: 112 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 11 14:40:32 2016
;; MSG SIZE  rcvd: 171

If the DNSSEC signed strings output, means that DNSSEC configuration successful.

Reference

DNSSEC – What Is It and Why Is It Important?
DNSSEC Operational Practices, Version 2
Resource Records for the DNS Security Extensions
DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format

Secure DNS with DNSSEC
7 votes, 5.00 avg. rating (99% score)