For the past couple of weeks, we’ve been working hard to introduce the DNSSEC feature to our customers – and now it’s finally available to the world.
To use the Internet, every device starts with DNS. When you open a web page, say leaseweb.com, your browser needs to know the IP (Internet Protocol) of leaseweb.com. To get the IP, the browser needs to ask a recursive (caching) DNS server. The job of DNS is to translate human-friendly addresses to IPs.
When you type leaseweb.com in your browser and hit “Enter”, your browser asks a recursive DNS server about the IP address for leaseweb.com. The DNS server responds with an IP address, and your browser then connects to that IP, asks for the website, and the website appears on your screen.
Where Did DNS Come From?
DNS is an old protocol from the early days of the Internet, back in the 1980s when the Internet was smaller and not everything was designed with security in mind.
This means that your browser asks for an address from a recursive DNS server and that DNS server needs to request an authoritative name server to get the data, cache it, and return the result to your browser. The communication between the recursive name server (caching name server) and the authoritative name server is not secure. An attacker can forge the response of the authoritative name server, and if a caching name server stores spoofed data, then it returns the spoofed data to you as well.
For example, if you try to open mybank.com and the caching name server your PC (browser) is configured to use, cached a spoofed IP for mybank.com, an attacker might design a fake website, similar to the real mybank.com, without raising any suspicion. You enter your banking credentials, and the attacker now has your banking information and may steal money or other critical information from you or your company.
The IETF (Internet Engineering Task Force) began working on a solution in the 1990s and the result is DNSSEC, or the DNS Security extension.
DNSSEC uses signatures based on public-key cryptography. With DNSSEC, DNS data is signed by its owner.
Every zone (or a domain) has a public/private key pair. The owner uses the private key to sign DNS data and create a digital signature over the data. The owner of the zone will also publish the public key so any recursive DNS server will retrieve the public key, and by using the public key, it can validate the authenticity of the DNS data.
If the data is valid, then the recursive name server will return it to the user, and if the data is not valid, then it will consider it as an attack and disregard the data.
What Is the Value for Me or My Business?
Using DNSSEC for domain ensures that an attacker cannot forge your domain DNS data and steal information from your customers.
Here at Leaseweb, we made sure you can enable DNSSEC for your domain easily with just one click. Want to know more? Open your Leaseweb Customer Portal, go to Hosting, and for any domain under Domain Management, click on DNS Records. You can see the DNSSEC and its status on the top rightthe page. Now with a single click, you can enable or disable DNSSEC for your domain.
This blog was written by Farshad Nematdoust, Software Engineer at Leaseweb.