Understanding DNS Security Extensions (DNSSEC)

DNS (Domain Name System)

DNS (Domain Name System) is a fundamental component of the internet that translates human-readable domain names (e.g., www.example.com) into numerical IP addresses (e.g., 192.0.2.1) that computers and servers use to communicate. 

When a user enters a domain name in a web browser, the browser sends a DNS query to a DNS resolver, which then contacts authoritative DNS servers to find the corresponding IP address for the domain. The resolver caches this information to expedite future queries.

DNSSEC (Domain Name System Security Extensions)

DNSSEC (Domain Name System Security Extensions) was created to enhance DNS security. While DNS efficiently directs users to the right websites, it lacks built-in mechanisms to ensure data integrity and authenticity. 

DNSSEC addresses this vulnerability by adding cryptographic signatures to DNS data, creating a chain of trust from the domain’s records to the root zone. 

Enabling DNSSEC prevents DNS-related attacks like DNS cache poisoning and DNS spoofing, allowing users to trust that the DNS responses they receive are genuine and have not been tampered with by malicious actors.

How DNSSEC Works

Let us start by explaining how DNSSEC (Domain Name System Security Extensions) works in simple terms:

1. Understanding DNS: The Domain Name System (DNS) is like a phonebook for the internet. When you type a domain name (e.g., example.com) into your web browser, the DNS translates it into the corresponding IP address (e.g., 192.0.2.1), allowing your device to connect to the correct server.
2. Vulnerabilities in DNS: Traditional DNS is susceptible to vulnerabilities, such as DNS spoofing or DNS cache poisoning. These attacks can redirect users to malicious websites without any indication, leading to potential data theft or other security breaches.
3. Introducing DNSSEC: DNSSEC is a set of security extensions designed to add an extra layer of protection to the DNS. It uses cryptographic signatures to verify the authenticity and integrity of DNS data, ensuring that users reach the correct website and not an imposter.
4. Signing DNS Records: With DNSSEC enabled, the DNS records of a domain are digitally signed by the domain owner’s private key. These signatures get added to the DNS records results when using a DNSSEC-aware resolver.
5. Validation of DNS Data: When a user’s device (e.g., computer or smartphone) tries to access a website, the DNS resolver (usually provided by the Internet Service Provider or set by the user, like Google Public DNS) checks the DNSSEC signatures on the domain’s records. If the signatures are invalid, the request gets marked SERVFAIL, and the resolver does not return an IP.
6. Chain of Trust: The DNS resolver then verifies the chain of trust from the domain’s DNS records all the way up to the root zone of the DNS. If all signatures are valid and the chain of trust is intact, the resolver knows that the DNS data is authentic. If the chain of trust is invalid, the request gets marked SERVFAIL, and the resolver does not return an IP.

Benefits of DNSSEC:

• Data Integrity: DNSSEC ensures that the DNS data remains unaltered during transit. Users can trust that they are accessing the correct website and not redirected to a fraudulent site.
• Authentication: DNSSEC verifies the authenticity of the DNS data, making it more difficult for attackers to impersonate a website.
• Trustworthiness: By implementing DNSSEC, domain owners demonstrate their commitment to internet security, increasing user confidence in their website.

Potential Negative Side Effects:

• Complex Implementation: Configuring DNSSEC can be a technical challenge and is not commonly used. If improperly configured, it may lead to misconfigurations and DNS resolution issues.
• Increased Packet Size: DNSSEC adds extra data to DNS responses, increasing the size of DNS packets. In some edge cases, this may cause DNS responses to exceed the maximum allowed size, leading to potential problems.
• Impact on Performance: DNSSEC introduces additional cryptographic computations during DNS resolution, which can cause a slight increase in DNS lookup times.

Overall, GreenGeeks believes that DNSSEC is a valuable security measure to protect against DNS attacks. 

DNSSEC implementation requires careful attention and consideration of potential side effects to ensure a consistent and secure browsing experience for users. 

If you have any concerns or questions about enabling DNSSEC for your domain on our GreenGeeks hosting platform, our Support Team will gladly assist you.

Verify DNSSEC Status

Verifying that DNSSEC is working for your domain involves performing a series of checks to ensure that DNSSEC signatures are in place, the chain of trust is valid, and DNSSEC validation is functioning correctly. 

Check Domain DNSSEC Status:

• • Use an online DNSSEC checker tool or a DNS lookup tool that supports DNSSEC validation such as DNS Viz & DNSSEC Analyzer
  • Enter your domain name and check if the DNSSEC status shows as “Secure” or “Insecure.” 
  • A “Secure” status means DNSSEC is implemented, and a “Not Secure”, “Insecure” or “No DS records found” indicates DNSSEC is not enabled on that domain.

Check DS Record at Parent Zone:

• • The DS records link your domain’s public key to the parent zone’s DNSKEY records, establishing the chain of trust.
  • Your domain’s DS (Delegation Signer) records get published in the parent zone (e.g., the .com parent zone for domain example.com). 
  • Use an online DNSSEC checker or DNS lookup tool to check if the DS records got configured in the parent zone. 

DNSSEC Chain of Trust:

• • DNSSEC operates based on a chain of trust from the root zone to the domain’s DNSKEY records. Validate the chain of trust using an online DNSSEC validation tool or DNSSEC-aware resolver. 
  • Be sure the DNSSEC validation passes verification & the chain of trust is complete.

Check DNSSEC Signature RRSIG Records:

• • RRSIG records contain the cryptographic signatures for DNSSEC-signed DNS records. 
  • Verify your RRSIG (Resource Record Signature) records using a DNS lookup tool. Ensure that the RRSIG records are present and correspond to the respective DNS records.

Test DNSSEC Validation:

• • Use a DNSSEC-aware resolver or a tool like “dig” (domain information groper) with DNSSEC validation enabled to resolve your domain. 
  • The DNSSEC-aware resolver should validate DNSSEC signatures and provide a successful or SERVFAIL response.

It’s important to note that DNSSEC might take time to propagate across the network, and DNS caches at various levels may also impact the immediate visibility of DNSSEC changes. 

After making any DNSSEC changes, allow some time for the changes to take effect and propagate throughout the global DNS infrastructure before re-verifying DNSSEC on your domain.

 

DNSSEC Client Support

Most clients, like web browsers, do not check DNSSEC status by default.  There are plugins and extensions that offer this functionality, but this will only impact the browser and not the entire system.

By using a DNSSEC-supported resolver, clients can enjoy the additional security benefits provided by DNSSEC without the need for complex configurations, as public DNS resolvers that support DNSSEC validation handle the cryptographic verification process transparently.

Here are some step-by-step directions for enabling DNSSEC on a device using a public DNS Resolver:

1. Identify Public DNS Resolvers with DNSSEC Support:
   • Identify public DNS resolvers that support DNSSEC validation.
     Popular options include Google Public DNS (8.8.8.8 and 8.8.4.4) and Cloudflare DNS (1.1.1.1 and 1.0.0.1).
2. Access Network Settings on the Client Device:
   • On the client device (e.g., computer, smartphone, or tablet), access the network settings.
   • The process for accessing network settings may vary based on the device’s operating system (e.g., Windows, macOS, iOS, Android).
3. Locate the DNS Resolver Settings:
   • Find the DNS resolver settings within the network settings. This is where you can specify the DNS server addresses used by that device for DNS resolution.
4. Change the DNS Resolver Settings:
   • Replace the existing DNS server addresses with the IP addresses of the public DNS resolvers that support DNSSEC.
   • For example, if you choose Google Public DNS, remove the existing servers & use 8.8.8.8 and 8.8.4.4 as the new DNS server addresses.
5. Save and Apply Changes:
   • Save the changes to the DNS resolver settings.
   • Depending on the device, you might need to click “Apply,” “Save,” or “OK” to confirm the changes.
6. Restart the DNS Resolver (Optional):
   • In some cases, restarting the DNS device may be necessary to ensure the new settings take effect immediately.
7. Verify DNSSEC Support:
   • After changing the DNS resolver settings, you can verify DNSSEC support by visiting websites that have enabled DNSSEC.
   • When using a DNSSEC-aware public resolver, it will validate DNS responses and only return trusted DNSSEC-signed data.
   • Test your DNSSEC support by visiting domains with a known-broken DNSSEC config such as:  https://www.rhybar.cz/ & http://www.dnssec-failed.org/
     • You should NOT be able to access these domains when using a DNSSEC-enabled resolver.

Enabling DNSSEC on the client device enhances DNS security by ensuring the authenticity and integrity of DNS data received from DNSSEC-enabled domains.

 

If you encounter any issues or have concerns about DNSSEC for your GreenGeeks-hosted domain, please open a Support Request Ticket from within your GreenGeeks Dashboard – Support – Open Ticket.