If not redirected, please click here https://www.thesecuritybuddy.com/securing-dns/dnssec-or-domain-name-system-security-extensions/
DNSSEC or Domain Name System Security Extensions is a set of security extensions of DNS or Domain Name System which ensures the DNS Clients that the DNS data they get from DNS Servers will be authentic.
DNSSEC or Domain Name System Security Extensions is a set of security extensions of DNS or Domain Name System which ensures the DNS Clients that the DNS data they get from DNS Servers will be authentic.
Let's understand what this DNSSEC is
actually.
What is DNS ?
When we want to visit a website, we
simply type the URL of the website in the address bar of the browser
and the webpage loads. We do not need to memorize the IP address of
the website. This process is called Domain Name Resolution.
And, the servers responsible for this are called DNS Servers.
When we type a URL of a website in the
address bar of the browser, our computer contacts the Domain Name
Servers or DNS Servers to resolve the IP address of the website.
These DNS Servers are coordinated by ICANN or Internet
Corporation for Assigned Names and Numbers. Normally, our
computer uses a DNS Server which is used by our ISP or Internet
Service Provider.
So, our computer makes a DNS query with
the URL to the DNS Server and the corresponding DNS Server responds
with proper IP address. And, using this IP address our browser opens
the website in the browser.
Security concerns of DNS
In the early 1980's, when DNS was
designed, there was not much considerations for security mechanisms
in the protocol. Computers at that time were much less powerful,
public key cryptography was a new concept and the network was much
smaller with lesser number of relatively well-known people. Later,
usage of internet increased dramatically, and DNS became vulnerable
demanding for security mechanisms to be applied for it.
There are a couple of major security
concerns for DNS :
- DNS Hijacking - Our computer opens a website using the IP address that the DNS Server has returned. In case of DNS Hijacking, an attacker changes the DNS settings in a computer, so that, whenever the computer makes a DNS query to resolve some IP address, a rogue DNS Server controlled by the attacker is contacted instead of the actual DNS Server used by our ISP. This normally happens when the computer is infected by a malware like DNSChanger Trojan. The malware infects a computer and then changes the DNS settings, replacing the authentic DNS Server with a malicious one.
As a result, the victim
computer obtains a malicious IP address of attacker's website,
instead of
the intended IP address
and the browser ends up opening the malicious website.
More information on DNS
Hijacking can be found here : DNS
Hijacking
- DNS Cache Poisoning - DNS Cache is said to be poisoned when it stores a malicious entry instead of a valid one. For example, if we type google.com, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of google.com in its DNS Cache, with a time-stamp up to which the entry remains valid. Within that time, if we type google.com again, our computer will look at its DNS Cache for the entry.
In DNS Cache Poisoning
attackers use some malicious tricks to make the computers store
malicious DNS entries
containing IP address of malicious webpages controlled by the
attackers,
so that the attackers can
exploit that later.
More information on DNS
Cache Poisoning can be found here : DNS
Cache Poisoning
- When emails are transported from one mail server to another, the mail servers make DNS queries to get IP addresses of mail servers indicated in the corresponding emails. Attackers can even play their trickery there and make the mail servers forward sensitive emails to the attackers' servers instead, following which attackers can steal sensitive data contained in the emails.
More information on this type of attacks can be found here : DNS Hijacking while transporting emails
The above list is not exhaustive
though.
How does DNSSEC enhance security of DNS ?
A DNS query is resolved in stages. For
example, when a computer makes a DNS query for www.somewebsite.com,
a query is first asked to root zone directory at the top level and
then it asks .com directory service identified by root where to find
information on .somewebsite.com. And finally, it asks the
.somewebsite.example.com directory service identified by .com where
to find the address for www.somewebsite.com.
DNSSEC security extensions adds a chain
of digital signatures in the DNS hierarchy. It uses public key
cryptography for that purpose.
Each level in the DNS hierarchy owns
its own signature generating keys. And, each level signs the key of
the level just below it.
So, that would mean, for the example of
www.somewebsite.com above,
root would sign .com's keys, .com would sign .somewebsite.com's keys
and .somewebsite.com would sign www.somewebsite.com's
keys.
Since, every key is validated by the
one above it, data integrity of DNS data is maintained over the whole
process of Domain Name Resolution and the DNS clients get only
authentic DNS responses.
DNSSEC implementation is quite complex
and its adoption is very slow. But, once it is implemented, internet
will be much more secured.
This article intended to give the basic
idea of DNSSEC. Hope you liked it.
Read More
What is DNSCrypt and how does it work ?
What is DNS Cookies and how does it work ?
What is Dynamic DNS and how can Transaction Signature or TSIG make it more secure ?
What is DNS Cache Poisoning ?
What is DNS Hijacking ?
How can attackers steal sensitive data transferred over unencrypted emails using DNS Hijacking ?
What are the security concerns of DNS ?
No comments:
Post a Comment