blog posts

What is DNSSEC (Domain name system security extensions)?

What is DNSSEC (Domain name system security extensions)?

One of the most recent defensive efforts is the Domain Name System (DNS). A protocol is used on the Internet to convert user-friendly names of websites such as www.yahoo.com to numeric IP addresses (such as 72.13.36.126) that are needed to drive traffic. The DNS protocol was designed at a completely different time when the Internet had a smaller and more reliable user base. Security was a minor issue, so the Internet Engineering Task Force (IETF) is a set of security extensions for It designed. These extensions are collectively referred to as Domain Name System Security Extensions (DNSSECs). Which reduces two specific types of DNS attacks.

Introduction

Sometimes the world of internet security is very similar to playing chess. On the one hand, some hackers and criminals are constantly looking for weaknesses. On the other hand, security experts are constantly developing tactics to support and protect resources. Sometimes it becomes like an armed struggle, an endless war in which each side attacks and defends the other to use smarter tactics. And constantly improve its strategies. If both parties are aware of the defects and vulnerabilities, it will be very difficult to exploit or eliminate this defect.

DNSSEC

With the evolution of the Internet among researchers and academics to the extent required in business, some security researchers have cleverly focused their expertise on exploring Internet vulnerabilities to prevent hackers from first finding these flaws. Thus, one of these researchers found and demonstrated a way by which it was possible to target the vulnerability of the DNS protocol. With the speed and ease with which vulnerabilities are now being exploited and the resulting publicity. There is a growing desire and awareness of the need to use DNSSEC.

How does DNSSEC work? What vulnerabilities does the network support? What is the next step that technology and security industries must take to ensure adequate security and support? According to a November 2010 IDG survey of 400 technical and security experts, only 50 percent of respondents were familiar with DNSSEC. The end of the game is somewhat obvious, in which the expansion of DNSSEC requires a concerted effort between different groups. What efforts does this involve and who does it. And what benefits can they expect from the proper use of those industries?

How does DNSSEC protect DNS?

Here is a brief description of the DNS background. DNS uses the client/server model using the following elements.
STUB RESOLVER This is where the DNS client searches for DNS information. You can find it on almost any device that connects to the Internet.

AUTHORITATIVE NAME SERVER introduces this case to the body that has DNS information.
RECURSIVE NAME SERVER Stub resolver sends its DNS queries to a recursive name server that necessarily performs DNS shifts.

Accepts DNS queries from all types of devices and tracks responses by sending its DNS queries to multiple authoritative servers. Because client-based references may require multiple iterations, the recursive name server remembers or stores the results of all responses. So it can use this stored information to speed up the response. Recursive name servers can be found wherever many Internet-connected devices require DNS resolution.

ISPs, for example, use recursive name servers to control the queries of their broadband users. And companies run them to answer questions about their network devices.

DNSSEC adds a digital signature to the information stored within the DNS to increase security. This digital signature is checked and validated to verify the information – for example, to verify that the IP address obtained after tracking the website name in DNS redirects the user to the intended destination DNSSEC ensures that the DNS data is true that Internet traffic (e-mail, exchanges between an e-commerce site or other Internet services) is routed to the appropriate servers and is not diverted to unauthorized sites. A criminal tries to enter harmful or toxic data to mislead end users.

An entity that performs DNS lookups also performs DNSSEC validation to verify incoming data’s validity and integrity. The end-user system can also do this validation. But in the current DNSSEC implementation, validation is done on the recursive name server.
Without DNSSEC protection, end users may be redirected to a malicious site and enter sensitive information such as job information or national codes. Or other national security numbers on these unauthorized sites.

Because users are potentially exposed to identity theft and other damages, companies whose sites have been illegally copied have less confidence in supporting their users, such as ISPs that end users rely on for Internet connections.

Using DNSSEC:

A public effort

For DNSSEC to be successful, everyone on the Internet and the DNS ecosystem must be involved in this group effort. These people are more than registries – operators who monitor certain high-level domains such as Edu and org. Other participants include registrars who register and manage Tier 2 domain names, such as ISPs that interact with end-users.

But that’s not all; other major components, including network device makers and software companies that make management tools and browsers, are also involved in applications with significant security updates.
Like any network application – or even the Internet itself – the more people log in, the more valuable information is transmitted; This is the “network effect.”

In partnership with the Internet Activities Association, ICANN (Internet Corporation for Assigned Names and NumbersVerisign). And the US E-Commerce Association began the process in July 2010 by signing the charter.

At least 50 top-level domains from specific countries have signed the DNSSEC to date, and many more are on the way.
As expected, there was less progress in the lower parts of the chain. According to Forrester Research in June 2010, there are still some technical concerns – how organizations should sign their DNS information and manage the keys needed for DNSSEC. In fact, DNSSEC deployment and deployment do not happen overnight.

Some major participants, especially hardware makers, have expressed concern that DNSSEC may cause some DNS response packets to exceed the standard DNS message size range of 512 bytes. In such cases, DNSSEC packages are likely to be lost.

Reasons to use DNSSEC.

So why should companies use DNSSEC? There are many reasons for this. One of the reasons for this is that DNSSEC includes good network users who prioritize the use of technologies and systems that improve the current state of Internet security. Some professionals use it for professional entertainment and honor.

Companies want to build trust for their customers and enable clients to access their assets and Internet services with the same level of trust. According to IDG Research, 71% of respondents felt that it was crucial (24%) or very important (47%) that sites with which they did business could use DNSSEC. Only 6% rated it as insignificant.

A report from Bloor Research in September 2010 stated that the widespread use of DNSSEC would clearly increase Internet security. Provide customers with higher levels of trust in the services provided, and enable organizations to support their brands and operations.

As DNSSEC accelerates, it will become easier to use. You will see more vendors offering packages and even open-source capabilities offered by cheaper vendors. Some vendors will offer DNSSEC security products as a cloud-based service, further reducing barriers to entry.

Conclusion

Finally, using DNSSEC is part of the usual chess game. The end-user threat is increasing, and more web-based devices are being produced day by day, and more programs are offering services. Next to them are many people who want to use them. To not lose users, you should try to gain and maintain their trust. Which is an advantage that can be expected from security.