What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a suite of extensions for the Domain Name System (DNS). They are used to prevent the malicious manipulation in resolving names to IP addresses.
A definition of DNSSEC
Attacks on the DNS are among the greatest threats in the modern internet landscape. The name resolution technology assigns domains to the corresponding IP addresses—for things like websites, VoIP, e-mail, and streaming services. Only by successfully resolving names do web browsers on smartphones or PCs, for example, know on which web servers the content for a specific website is available. However, since the DNS dates back to the dawn of the internet, the technology does not yet include any security features for defending against attacks or sabotage attempts. Moreover, DNS queries are transmitted unencrypted on the network with no verification. This is why cybercriminals are able to abuse the DNS as a powerful weapon, for example for DDoS attacks, which are even amplified by the DNS. DNSEC was developed to address these and other threats.
How does DNSSEC work?
DNSSEC uses cryptographic methods to detect manipulations during name resolution. To do this, the DNS security extension uses an asymmetric encryption system for validation that reliably identifies even the smallest modifications to domain entries by means of hash matching. This is based on the digital signature of DNS records to authenticate the source. DNS resolvers use this signature to check that the information is identical to the data published by the zone owner and served on an authoritative DNS server. This is accomplished by comparing the received hash values with the data calculated by the resolver itself. If the values are the same, matching is performed throughout the chain of trust, up to the highest authority (trust anchor). DNSSEC uses this process to check the integrity of requests.
What does DNSSEC protect against?
Attacks and sabotage attempts on the DNS pose an enormous threat. A global DNS hijacking campaign last made headlines in 2019. At that time, the Internet Corporation for Assigned Names and Numbers (ICANN) issued an urgent warning about the attacks, which targeted dozens of domains belonging to government, telecommunications, and internet infrastructure organizations in Europe, North America, North Africa, and the Middle East. Political actors are believed to have been behind the attacks, pursuing primarily political goals with the global campaign.
By means of DNS hijacking, attackers are able to redirect regular requests for web pages without detection, e.g., to obtain user credentials on fake web pages, to spread malware, or to dox political/ideological opponents. DNS hijacking can also be used to censor access to specific websites.
How widespread is DNSSEC?
The go-ahead for DNSSEC was given in 1999, but the DNS security extension has not yet gained global acceptance. This was in no small part due to teething troubles that required extensive improvements. The original version of DNSSEC (RFC 2535) had to be revised to simplify key management and to eliminate compatibility problems with existing software. It was not until 2005 that the new version of the DNSSEC protocol was finally launched with the publication of RFC 4033, RFC 4034, and RFC 4035. In 2008, this was eventually followed by NSEC3 resource records (RFC 5155), an option to reduce the risk of zone-walking attacks that had existed until then. Since 2010, DNSSEC has been deployed on all 13 root servers, and virtually all top-level domains now support the DNS security extension. Nevertheless, the global validation rate of DNSSEC is still below the 30 percent mark.
Complexity as a stumbling block for DNSSEC
One of the reasons for the slow adoption of DNSSEC is the high level of complexity associated with the use of the extension. It is not enough, for example, for root servers and the administrators of top-level domains to support the standard. For a successful integrity check, the domain name registrar, DNS server operator, and the internet access provider (resolver) must also support the standard and configure it in a coordinated manner.
DNSSEC in Germany
In Germany, or rather the .de zone, DNSSEC was introduced in 2011. The German Federal Office for Information Security (BSI) held a DNSSEC Day in 2015 to provide information and encourage adoption of the technology. The BSI also recommends the use of DNSSEC to secure digital communication in the technical guideline “Secure E-Mail Transport” (BSI TR-03108). According to the authority, business-critical domains in particular benefit from the additional layer of protection provided by DNSSEC. In Germany, it is primarily government agencies and organizations from highly regulated sectors (finance, insurance, healthcare, etc.) that rely on DNSSEC. According to APNIC Labs, the overall validation rate in Germany is above 50 percent, slightly higher than the Western European average.
What risks does DNSSEC pose?
The use of DNSSEC is not entirely uncontroversial. The lack of encryption in particular is frequently subject to criticism. DNSEC only provides validation during name resolution to prevent manipulation. The requests themselves are still transmitted in plain text.
Much more serious, however, is the potential threat that DNSSEC poses to IT security on the internet. The DNS security extension can be targeted and exploited by cybercriminals for DDoS attacks. The technology involved causes validating name servers to generate larger responses than those generated by conventional DNS queries. This makes validating DNS servers particularly well-suited to amplifying reflection attacks. In these types of attacks, cybercriminals use spoofing to forward their malicious botnet queries to the target via a DNS service. This massively increases the attack volume and at the same time conceals the origin of the attack. In practice, DDoS attacks can be amplified by more than fifty times using DNSEC.
At the same time, the use of DNSSEC makes DNS servers themselves more vulnerable to DDoS attacks, since validation creates a higher load. This leaves less residual capacity free, which is used up more quickly in the event of an attack.
What you need to know about DNSSEC
DNSSEC is a suite of security extensions that performs authentication of the source during name resolution. The technology can be used to validate the integrity of web servers and the connections established with them. This ensures that a specific domain is in fact assigned to the correct web server. Sabotage attempts can thus be detected and thwarted. DNSSEC can also be used to safeguard the integrity of digital communication via e-mail or VoIP.
However, due to its considerable complexity and a number of teething problems, the standard has not yet gained global acceptance. Nevertheless, a general trend towards its adoption can be observed.
Organizations from sensitive sectors in particular are increasingly turning to DNSSEC, especially when it comes to securing business-critical domains.
The lack of encryption is often seen as one of the shortcomings of DNSSEC. In addition, DDoS attacks, both from and to DNSSEC-validating web servers, pose a significant potential threat. Cybercriminals are able to abuse the technological features of the standard to amplify and conceal their attacks. At the same time, DNSSEC-validating web servers are more vulnerable to DDoS attacks because they must cope with a higher computational load during name resolution.
If you are interested in futher informations, we are willing to send you our product sheet for free
How Myra DDoS Protection can reliably secure your website or web application against all DDoS attack vectors:
- How is the protection activated in case of attack?
- What are the advantages of Myra protection solution?
- What are the features of Myra DDoS Protection for web applications??