The Domain Name System (DNS) plays a critical part in Internet communications, as it's used to translate a human-readable computer hostname into an IP address -- such as searchsecurity.co.uk to 22.214.171.124 -- so that it can be understood and used by networking equipment, computers and software programs. It's the world's largest distributed database, but when it was originally designed back in 1984, scalability and availability were the key goals and little attention was given to security.
This lack of security has lead to a series of DNS-related vulnerabilities. For example, if attackers can change your DNS zone data -- the DNS namespace for which you're administratively responsible -- they can set up counterfeit Web servers, or cause email to be redirected to other servers. Cybercriminals are increasingly using false DNS servers to intercept legitimate Web addresses and redirect users to fake sites in order to capture personal information or install malware.
A fix for the critical shortcomings of DNS server security has been a long time coming, in large part due to the problem of maintaining backwards compatibility. But Domain Name System Security Extensions (DNSSEC) has finally been rolled out, and this new security layer is a major step towards a more secure Web address system.
DNSSEC is designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. It works by digitally signing answers to DNS queries using public-key cryptography. A DNSSEC-aware DNS resolver can use the digital signature to determine if the answer it received originated from the requested authoritative DNS server (authentication) and that it hasn't been modified (integrity). This means that when you type in a Web address, you will reach the correct Web server and not an imposter.
To provide this layer of security, DNSSEC adds four new resource record types to the DNS protocol: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC). It also adds two new DNS header flags: Checking Disabled (CD) and Authenticated Data (AD), and it requires EDNS0 support (a mechanism for extending DNS query and response messages) in order to support the larger DNS message sizes that result from the additional records.
This is an important point, as the change in the message size means that some older network devices will reject the larger-sized packets, assuming they are broken or malicious. Since May 5th, all the Internet's DNS root servers have been responding with larger, signed DNSSEC responses to DNS queries that request DNSSEC information, so ISPs and large enterprises need to ensure their networks can handle EDNS0 to avoid problems with the transition. You can test whether your current DNS resolver is capable of handling DNSSEC by running a Java reply-size tester app that can be downloaded from RIPE Labs.
More on DNSSEC
See how DNSSEC deployment challenges can be overcome.
Kaminsky interview: DNSSEC addresses cross-organizational trust and security.
Security architects fear savvy botnet attacks. Learn about DNSSEC and IPv6 security issues.
To get ready for DNSSEC, your must create and add DNSSEC data to your DNS zone data, and your servers and desktops will require OS software that supports DNSSEC. Windows 7 and Windows Server 2008 R2 include a "security-aware" stub resolver that is able to differentiate between secure and non-secure responses. The latest versions of BIND, the most popular DNS name server, have full support for DNSSEC. A DNSSEC implementation can potentially add a significant load to a DNS server, so it's a wise idea to carry out a stress test, essentially, pummelling the server with requests, to ensure that yours will have adequate resources if they have to respond to a larger number of requests.
DNSSEC is not a cure-all, however, and network administrators and users still need to guard against spam and phishing attacks. For example, phishing attacks often exploit similar-looking domain names such as www.google.co.uk and www.goog1e.co.uk. DNSSEC can't protect against such tricks. Also, DNSSEC doesn't protect against distributed denial-of-service (DDoS) attacks.
That said, DNSSEC is an extremely important development for securing the Internet as a whole. While protecting IP addresses and preventing hackers from intercepting DNS data and redirecting users to fake websites are the obvious benefits, using DNSSEC also opens the way for other Internet projects, such as a worldwide public-key infrastructure for email.
If you want to know more about DNSSEC, there are some great resources on the Internet. Dnssec.net has links to all the major DNSSEC publications and research documents, as well as the RFCs describing the DNSSEC specification. (RFC 3833 attempts to document some of the known threats to the DNS and the way DNSSEC responds to those threats.) The DNSSEC-Tools project has a set of software tools, patches, applications, wrappers, extensions and plug-ins to help with the deployment of DNSSEC-related technologies. I recommend their short DNSSEC tutorial, Learn About DNSSEC Firsthand.
The European Network and Information Security Agency (ENISA) has published a Good Practices Guide for Deploying DNSSEC aimed at information security managers responsible for defining a policy and procedures to secure the DNS services of their organisation. Microsoft also has a DNSSEC Deployment Guide that gives an overview of DNSSEC and information about how to deploy it on the Windows Server 2008 and Windows 7 operating systems. Finally, Nominet has a comprehensive article on DNSSEC and how it's being rolled out to .uk domains.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.