%20(1).jpg)
Every time someone tries to visit your website, they are directed there by the Domain Name System (DNS). While DNS is the directory service for the internet it unfortunately is open to a range of attacks which can impact your online presence. A critical function of DNS is making sure your visitors arrive at your site and not an imposter’s. Without adequate protection though that is exactly what can happen. Understanding and preventing these attacks is part of managing your external attack surface. An effective measure to prevent attacks is through the adoption of a standard called DNSSEC. While it isn’t the easiest protocol to understand it has at least become easier to implement.
What is the Domain Name System?
At its most basic, DNS is used to translate domain names into numeric Internet addresses – as an example www.google.co.nz to 142.250.204.4.
What are the security challenges with DNS?
DNS dates back to the 1980’s and was never designed with security in mind. As a result, it contains several vulnerabilities that render it susceptible to various types of attacks including spoofing/hijacking, man in the middle, and denial of service. DNS look ups are also visible and not encrypted which means they can be intercepted and tracked which has a privacy impact.
Spoofing and hijacking are possibly the most dangerous of these issues, so we’ll investigate those further and leave the other attacks for a later post. In these attacks, an attacker forges DNS data or redirects DNS queries - redirecting your visitors to the attacker’s own site. This fraudulent site may maliciously distribute malware or harvest credentials from your visitors.
What is DNS Security Extensions (DNSSEC)?
DNSSEC introduces a cryptographic signature component to DNS. This is essentially a way to sign DNS records, allowing resolvers (servers responsible for DNS lookups) to verify the integrity and authenticity of your DNS records – adding protection to the process. The cryptographic signature establishes a chain of trust that extends to the top-level domain e.g. .com, .org, etc and the ‘root servers’ of the internet.
How does this work?
Every DNS zone (record entry) has a public/private encryption key pair. The zone owner uses the zone's private key to sign their DNS data in the zone and generate digital signatures over that data. The private key is kept secret by the zone owner. The zone's public key, however, is published in the zone itself for anyone to retrieve. A DNS resolver that looks up data in the zone also retrieves the zone's public key, which it uses to validate the authenticity of the DNS data.
How can the resolver trust that the public key is authentic? This is where things get a bit cunning. The public key on the zone is itself signed by the parent zone details. For example, Glasstrail.com’s public key is signed by the .com zone key. Though the actual mechanism for this is indirect, it preserves a chain of trust all the way to the ‘trust anchor’ which is the top-level key.
Implementing DNSSEC
There are two key places to configure DNSSEC – the domain registrar and the name server service. If you are using the same provider for both services, then you will likely find turning on DNSSEC is as simple as selecting the option in your DNS provider settings.
If you’re not using the same provider for both, then there are some more settings to configure. The domain registrar for your domain points to the name servers you are using, and it needs to be told about your DNSSEC settings too. Typically, you configure your name server service to enable DNSSEC, and when doing this it will provide you with the DS Record (Delegation Signer) details which you add to your registrar, alongside the details of the name server you are using.
For more details on how to setup DNSSEC on these providers:
How Glasstrail can help?
Glasstrail considers your domain name as an integral aspect of your external posture. We verify the configuration of DNSSEC for your domain name and if everything appears to be in order, give you a green tick as an indication of a successful implementation.
By scanning your attack surface regularly with Glasstrail you can spot when new domains or subdomains get added to your attack surface - so you can ensure these also get DNSSEC added.
