DNS, by default it is not safe. Its purpose is to be able to provide a decentralized model for domain resolution and to do it fast because there are billions of people online always. Yes, the focus of the DNS is not safety. But there is a strong need for it, so here comes the DNSSEC. The DNSSEC is the security extension that gives us a good level of protection.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is an extension, on top of the DNS, that encrypts the DNS records that we use to communicate with the name servers. That way, even if somebody intercepts those DNS records, they will be encrypted and unreadable to them. So the cybercriminals will be with pointless random text in their hands.
DNSSEC provides security to the DNS in a simple and effective way.
Why is it important for you?
There are two main reasons why the DNSSEC is so important:
1. Using the DNSSEC, you can be sure that the DNS data (the DNS records) has not been modified. Imagine if a cybercriminal has changed the DNS records on the way to the client. The client can get a modified A record that leads to another server controlled by the bad actor. There the client can get his or her data stolen. So it reduces the possibility of DNS cache poisoning.
2. Source DNS data authentication. Using the DNSSEC, you can be sure about the real source of the data and that it is the correct authoritative name server. It will stop any predictions of fake servers.
DNSSEC, the way it works.
The DNSSEC is a chain of trust that goes from the root level down and secures each step-down.
The root has the key for the level below – TLD. TLD for the domain name and the domain name for the subdomain.
It uses cryptography to sign each zone with a private key, and there is a public one for decrypting it. The Private key should not be shared, and the public will be inside DNS records in the zone for unlocking that zone.
When a recursive DNS server request DNS data, it will get it, and it will get the public key too. It will use it to unlock the DNS records by validating the data. If it could not do it for some reason, it will return an error message to the user.
How to start using DNSSEC?
DNSSEC is not a pre-activated feature, and also it is often not free.
First, you will need a domain name that supports it. Still, not all TLDs support DNSSEC, but usually, there is easily accessible information with your registrar when you are getting a domain.
You might need to get managed DNS provider. After that, the process is simple. Activate DNSSEC for each zone that you want. Get the Delegation Signer record (DS record) and put it in the parent zone of your registrar. The chain of trust is ready this way.
DNSSEC is a simple way to fix the unsafely of the original DNS. It is easy to use, and it provides a lot of value. You will have safer communication and usually at a very affordable price.