Posted by Trevagh Stankard on Thu, Sep 2nd, 2021
Find out the difference between DNSSEC and DNS security in this article.
Believe it or not, the foundational structure of the Internet is barely 50 years old. DNS was created in 1983 and became an Internet standard in 1986. Email is a little older as the first person to use the @ sign to link a username with a destination server to communicate took place in 1971. Both of these standards were created during a time of innocence. To our knowledge, there were no hackers then. There were certainly no criminal organizations spreading ransomware or nation-state threat actors performing cyber espionage. It was a time in which you could trust the Internet community you were a part of.
The inventors of these technologies probably didn’t even think about security back then. Because of the persistent risks and dangers that are ever present in the digital wilderness today, we find ourselves having to bolt on security mechanisms on top of technology that wasn’t designed to be secure in the first place. Because DNS is such an integral component of basic networking and internet traffic, it is essential that you secure it. This involves the use of DNSSEC and DNS Security. Sometimes these two can be confused as being one and the same, but they aren’t.
DNS Security involves the general concept of securing your DNS infrastructure. DNSSEC is actually one aspect of this process. DNS Security entails not only implementing DNSSEC as best practice, but entails things such as keeping your DNS servers patched and up to date, securing it with a perimeter and local firewall and using other specific DNS security protocols such as DoH. For reference, DoH is known as DNS queries through HTTPS sessions in order to encrypt DNS communication through the use of a negotiated keys much like a secure website.
The Trusting Nature of DNS
Before we explain what DNSSEC does, it’s important to understand the trusting nature of native DNS. When a computer issues a DNS query in order to properly navigate a user to his or her desired website, it issues a request of assistance from a DNS server. This plea is referred to as a DNS query. There is a DNS hierarchy present throughout the world. At the top are thirteen “root” DNS servers. These servers represent the first step in the name resolution of a domain name. The root servers pretty much refer requests down to the appropriate Top Level Domain (TLD) server. These DNS servers serve as the authority for .COM, .NET, .ORG, etc. These servers then forward requests to the DNS servers of specific domains or possibly subdomains if needs be. At the end of this entire process, the client is finally issued the requested IP address of the hostname in question. The fascinating thing about all of this is how incredibly fast it all happens.
The validity of the returned IP address is based on the assumption that only the proper DNS authorities were involved. But what if they weren’t? The unsecured nature of DNS makes it susceptible to man-in-the-middle attacks. A malicious party could inject a rogue server into the process which could then refer clients to non-legitimate sites. These sites could be used to mimic a website in order to steal user credentials or download malicious code or Trojan.
How DNSSEC Works
DNSSEC is used to eliminate this inherent vulnerability of DNS to man-in-the-middle attacks. It does this by providing an added layer of authentication to the DNS response that utilizes public-key cryptography. The use of these keys verifies the DNS records associated with a domain. When multiple DNS servers are involved in a query process, each one is validated, ensuring the client that each step is legit. The thirteen root DNS servers are already protected by DNSSEC. Once a response from a root server is validated, the server provides the public keys for the server below it in the chain. That public key is then authenticated by the server’s private key. And so the cycle goes all the way down. Keep in mind that DNSSEC does not encrypt the traffic itself, that is the job of DoH. Note that DNSSEC will require more processing power for your DNS server than normal.
How to Secure your Unsecure Internet Technologies
TitanHQ is in the business of securing your DNS based internet traffic and email communication through the use of our advanced security solutions. WebTitan offers DNS security and DNS content filtering in order to prevent your users from accessing malicious sites and downloading malicious code from the internet. SpamTitan email security protects by blocking phishing attacks, ransomware and other malware based threats. While DNS and Email may have been created in an age of innocence, TitanHQ has the tools to secure them in an era of zero-trust.
Talk to a TitanHQ Security Expert to discover how to protect your DNS layer with a multi-layered security approach. Contact us today.