DNS security is the practice of protecting DNS infrastructure from cyber attacks in order to keep it performing quickly and reliably. An effective DNS security strategy incorporates a number of overlapping defenses, including establishing redundant DNS servers, applying security protocols like DNSSEC, and requiring rigorous DNS logging.
You don’t care because you’re not ‘tech’?
Cool, but Threat Actors (the global term for hackers) actually want to enter your DNS system and use it to pretend to be you. In doing so – they can send Emails as your business, create fake websites to steal money and various other things.
Why is DNS security important?
Summary: Whoever gets your DNS can decipher your traffic destination. So if you choose another country (like Google, Cloudflare) they are bound by laws outside of Australia. Who can they sell your data to? Are they owned by another company?
Like many Internet protocols, the DNS system was not designed with security in mind and contains several design limitations. These limitations, combined with advances in technology, make DNS servers vulnerable to a broad spectrum of attacks, including spoofing, amplification, DoS (Denial of Service), or the interception of private personal information. And since DNS is an integral part of most Internet requests, it can be a prime target for attacks.
In addition, DNS attacks are frequently deployed in conjunction with other cyberattacks to distract security teams from the true target. An organization needs to be able to quickly mitigate DNS attacks so that they are not too busy to handle simultaneous attacks through other vectors.
What is DNSSEC?
DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem. DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.
This signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with.
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a ‘google.com’ lookup, a root DNS server (hxxps://en.wikipedia.org/wiki/Root_name_server) would sign a key for the .COM nameserver, and the .COM nameserver would then sign a key for google.com’s authoritative nameserver (hxxps://en.wikipedia.org/wiki/Name_server).
While improved security is always preferred, DNSSEC is designed to be backwards-compatible to ensure that traditional DNS lookups still resolve correctly, albeit without the added security. DNSSEC is meant to work with other security measures like SSL/TLS (hxxps://en.wikipedia.org/wiki/Transport_Layer_Security) as part of a holistic Internet security strategy.
DNSSEC creates a parent-child train of trust that travels all the way up to the root zone. This chain of trust cannot be compromised at any layer of DNS, or else the request will become open to an on-path attack.
To close the chain of trust, the root zone itself needs to be validated (proven to be free of tampering or fraud), and this is actually done using human intervention. Interestingly, in what’s called a Root Zone Signing Ceremony, selected individuals from around the world meet to sign the root DNSKEY RRset in a public and audited way.
