DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of extensions to the DNS protocol that provides cryptographic authentication of DNS data, protecting users against attacks such as DNS spoofing and cache poisoning. Below is a detailed, structured explanation.
1. Why DNSSEC Exists
Traditional DNS has no built-in security:
- It does not verify authenticity
- Responses can be forged or tampered with
- Enables attacks such as:
- Cache poisoning (redirect users to malicious sites)
- Man-in-the-middle attacks
DNSSEC solves this by adding data integrity and origin authentication, not encryption.
2. Core Concept
DNSSEC uses public key cryptography to sign DNS records.
Key idea:
- DNS records are digitally signed
- Resolvers verify signatures using public keys
- Ensures:
- The data came from the correct zone
- The data has not been altered
3. Key Components
3.1 Resource Records (RRs)
DNSSEC introduces new record types:
3.2 Keys
Two types of keys are used:
1. Zone Signing Key (ZSK)
- Signs actual DNS records
- Used frequently
- Rotated more often
2. Key Signing Key (KSK)
- Signs the DNSKEY record set
- Anchors trust to higher levels
- Rotated less frequently
4. Chain of Trust
DNSSEC works through a hierarchical trust model:
(THE FOLLOWING CONTAINS LINES OF CODE WRITTEN IN THE TERMINAL (COMMAND PROMPT) WITH THE BACKGROUND HIGHLIGHTED)
Root Zone (.)
↓
TLD (Top Level Domain) (.com, .org)
↓
Domain (example.com)
How trust is built:
1. Root zone contains a trusted public key (trust anchor)
2. Root signs TLD keys
3. TLD signs domain keys
4. Domain signs its records
This creates a chain of trust from the root to the queried domain
5. DNSSEC Resolution Process
Here’s what happens when you query a DNSSEC-enabled domain:
Step-by-step:
1. User queries the resolver for a domain
2. Resolver asks the authoritative DNS server
3. Server returns:
- Requested record (e.g., A record)
- RRSIG (signature)
4. Resolver:
- Retrieves DNSKEY
- Verifies signature
5. Resolver checks chain:
- Verifies DNSKEY using DS record from parent
- Continues up to the root
If all checks pass → VALID
If any fail → BOGUS (rejected)
6. What DNSSEC Protects Against
DNSSEC prevents:
- DNS spoofing
- Cache poisoning
- Unauthorized record modification
Example attack stopped:
Without DNSSEC:
- bank.com → attacker IP
With DNSSEC:
- Signature mismatch → response rejected
7. What DNSSEC Does NOT Do
Important limitations:
- Does NOT encrypt traffic
- Does NOT provide confidentiality
- Does NOT hide queried domains
For privacy, you need:
- DNS over HTTPS (DoH)
- DNS over TLS (DoT)
8. Authenticated Denial of Existence
DNSSEC can prove that a domain does not exist.
Two mechanisms:
NSEC
- Lists the next valid domain
- Allows attackers to enumerate domains
NSEC3
- Uses hashing to obscure names
- Prevents easy zone walking
9. Key Rollover
Keys must be rotated periodically.
Types:
- ZSK rollover (frequent)
- KSK rollover (rare, carefully coordinated)
Improper rollover can break DNS resolution → domains become unreachable
10. Validation States
A DNSSEC-aware resolver classifies responses as:
Requires:
- Signed zones (DNS admin side)
- Validating resolvers (ISP or client side)
- Trust anchors (root key)
12. Advantages
- Strong protection against DNS-based attacks
- Maintains backward compatibility
- Enables higher trust in DNS
13. Challenges & Drawbacks
Technical challenges:
- Complex to configure
- Key management difficulties
- Risk of misconfiguration
Operational issues:
- Larger DNS responses (can cause fragmentation)
- Requires careful key rollovers
14. Example (Simplified)
Query: example.com A record
Response:
A: 93.184.216.34
RRSIG: <signature>
Resolver:
- Gets DNSKEY
- Verifies signature
- Validates chain up to root
Result: Authentic
15. DNSSEC vs Other Security Tools
They complement each other, not replace one another.
16. Summary
DNSSEC:
- Adds cryptographic signatures to DNS
- Builds a chain of trust from root to domain
- Protects against spoofing and tampering
- Does not encrypt data
No comments:
Post a Comment