Introduction to DNSSEC: What beginners need to know

DNSSEC stands for Domain Name System Security Extensions. Behind the seemingly complicated term lies a series of extensions designed to enhance the security of the Domain Name System (DNS). By verifying the authenticity and integrity of the requested DNS data, it ensures that DNS records have not been tampered with.

But why is this relevant at all? Let's first consider the vulnerability present in traditional DNS queries.

The Issue of DNS Spoofing

The Domain Name System (DNS) is a crucial component of the Internet, akin to the internet's phone book, translating every domain name into an IP address. The reason is simple: computers communicate with each other via IP addresses. DNS enables us to not have to remember the IP address of every website we want to visit.

For example: When you enter www.wetter.de into your browser, it triggers a request to a DNS server to find the corresponding IP address. This is determined as 194.36.43.209 and returned by the DNS server to your browser, which then loads the website.

Unfortunately, such DNS queries are not secure enough and are vulnerable to malicious attacks. The reason being that DNS data is not secured against alterations during transit or within the servers and caches it passes through. This means that manipulated DNS responses go undetected and unprevented.

An example of an attack on the DNS infrastructure is DNS spoofing. Here, an attacker hijacks the cache of a DNS resolver (DNS server) and alters a DNS entry. When a user makes a website request, instead of receiving the IP address of the desired website, they receive a false IP and are redirected to the attacker's malicious website.

If the deception goes unnoticed by the user and they share their data on the fake website, significant damage can occur.

DNSSEC was developed to address this issue and fix the vulnerabilities of DNS. The new security protocol aims to ensure that the data in the received DNS response is authentic and unaltered. Let's take a detailed look at how this works.

What's new about DNSSEC?

DNSSEC adds an additional layer of security to DNS entries by using cryptographic signatures. When a user requests information about a domain (e.g. its IP address), the DNS server provides this information along with a digital signature. Both the DNS data and the digital signature are verified by the user's device using a public key provided by the DNS server. If the signed response is not tampered with, the user can trust that they are receiving authentic information and being directed to the correct website.

Therefore, DNSSEC provides an important protection mechanism for internet users against threats like DNS spoofing, DNS cache poisoning, or man-in-the-middle attacks by preventing unauthorized changes or redirections of a domain's traffic. DNSSEC not only verifies the integrity of each record but also validates that an entry actually comes from an authoritative DNS server, which is deemed trustworthy by a higher-level hierarchy.

The benefit: Companies protect confidential data stored on their DNS servers such as IP addresses, details of the mail exchange server, and host information (CPU & operating system) through DNSSEC. The enhanced security also builds more trust among users. In particular, online services reliant on exchanging confidential information (such as banking or eCommerce) can provide their customers with a high level of trustworthiness using DNSSEC.

How a DNSSEC query works

When a company signs its DNS data with a private key, this key is checked by a DNSSEC-enabled client using a public key when accessing the website. Only if the signature is correct, the DNS response is accepted, ensuring that the client reaches the genuine website of the company and is not redirected to a fake site.

In detail, the DNSSEC validation process is carried out through the following steps using the example of the domain do.de:

1. A user enters the URL do.de into their browser. To determine the corresponding IP address for the hostname, the browser queries this from the DNS resolver of the local computer. This recursive resolver is responsible for finding and returning the correct IP address of a domain. If the IP address is in the cache of the DNS resolver, it is directly returned to the browser.

2. Otherwise, a recursive query begins to determine the DNS server that holds the necessary information for the requested domain. Often, multiple authoritative name servers are contacted. Initially, the DNS resolver contacts the root DNS server. The root DNS server then refers to the DNS server of the top-level domain (TLD) of the domain - in our example, the global DNS server for all .de domains. The TLD DNS server then refers the resolver to the authoritative name server that manages the DNS records for the requested domain - in the example, the owner of the domain do.de.

3. At each stage, the DNS resolver requests a DNSSEC key (DNSKEY) associated with the DNS zone (domain) to verify the authenticity of the contacted server. Simultaneously, each authoritative DNS server sends a DNS response containing RRSIG records back to the DNS resolver. This record includes DNS data (Resource Records) as well as the private key of the DNS zone.

4. The DNS resolver then validates these RRSIG data using the public zone key and verifies whether the IP address entry was actually sent by an authoritative name server and was not manipulated during transmission.

5. If the validation is successful, the DNS resolver sends the verified DNS response with the requested IP address to the user's DNS client.

How do I set up DNSSEC?

DNSSEC must be explicitly enabled, meaning every domain owner must actively choose to sign their zone with DNSSEC.

It should be noted that not all DNS servers and resolvers currently support DNSSEC. Adapting existing infrastructure accordingly can come with a significant time and cost investment and also requires a good deal of technical know-how. Administrators must not only sign their DNS zones but also regularly exchange DNS keys and perform regular updates and security checks.

Here is a step-by-step guide to setting up DNSSEC for your domain:

1. Check with your domain registrar for DNSSEC support

Before proceeding, make sure that your domain registrar supports DNSSEC. Not all registrars currently offer DNSSEC as an additional security protocol.

2. Enable DNSSEC with your registrar

Log in to your domain registrar's customer account and navigate to the domain management section. Look for the option to enable DNSSEC or manage your DNS settings.

3. Generate DNSSEC keys for your domain

Next, you will need to generate DNSSEC keys for your domain, which you will use to sign the DNS records of your domain and ensure their authenticity. The key pair consists of a Zone Signing Key (ZSK) and a Key Signing Key (KSK), which signs the ZSK. Your registrar should provide you with specific instructions on how to generate the required keys.

4. Publish the DNSSEC records & DS records

Now, you need to add the relevant DNSSEC records to your domain's DNS configuration. This includes publishing the DS (Delegation Signer) record in your domain's DNS zone file. The DS record is a hash of the KSK and is stored in the parent DNS zone. By having a parent zone sign the public key of a child zone, a chain of trust is established between the different DNS levels.

5. Verify your DNSSEC setup

Once the DNSSEC records have been added to your domain's DNS configuration, you can verify the success of the setup. There are various online tools available for DNSSEC validation, which will check the DNSSEC records of your domain for correct configuration and functionality.

DNSSEC is essential for DNS security

DNSSEC is an important step towards enhancing the security of your online presence and protecting your domain from potential threats. By authenticating DNS data, users can be confident that they are receiving the correct information.
Whether it's personal websites or professional sites - If you are a domain owner or responsible for domain management for your business, then DNSSEC is a crucial strategic decision to strengthen your customers' trust and ensure the security of your online services.

Domain-Offensive automates DNSSEC for its customers

Looking to secure your domain with DNSSEC but concerned about the technical effort? Look no further: Domain-Offensive customers receive full DNSSEC support when using the provider's nameservers.

Activating DNSSEC is just a click away during the ordering process of a new domain - provided that the respective registry supports DNSSEC. Subsequently, all DNS records and DNSKEYs are automatically set by the system and stored with the registry. Done! Find more information on setting up DNSSEC here.