DNSSEC: What is it & how it works?

Ever so often in life we are faced with questions. These questions often come in different “Ws”. There are the “What”, “Why”, “Who”, “Where” and so on. Today we explore and answer a “What” question in the form of What is DNSSEC? To answer this seemingly complexed question, we will first have to break down the letters in parts. It’s that easy. So, let’s start with DNS.

What is DNS?

If you search online for a basic definition of DNS, you will come up with “a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network.” But what does all this mean? Let’s take a quick look at its history. DNS or Domain Name System, was designed in the 80s. In this time, the internet as we know it was a very small place and security was not a paramount concern or feature.

Importance of DNS

DNS allows the internet to function. Whether it is visiting websites, sending emails, sending and receiving images on social media, they are all dependent on DNS. These actions use the function of DNS to translate domain names such as bbc.com to an Internet Protocol or IP address such as 192.0.44.7, which is needed by routers, servers and different network devices to direct traffic to their correct destination across the internet.

DNS: Stub Resolver and Recursive Resolver

As a web user, when you enter a website on your mobile phone, your browser uses what is called a stub resolver, that is a component of your device’s OS or operating system. This is where the process of translation starts where the domain name is translated to an IP address.

The stub resolver is basically a DNS client that functions as a relay to transfer an application’s request for DNS data to a more complexed DNS client known as a recursive resolver. On different networks, a number of operators use recursive resolvers to manage DNS requests. With smaller operators/organisations, they use recursive resolvers attached to other networks usually operated as a public service like Google Public DNS, Quad9 or Open DNS.

DNS: The problem

So let’s get back to the 1980s. During this time of DNS design, a recursive resolver would send a request to a name server, the resolver had no specific unique way to identify or verify the truthfulness of the reply. The resolver is only able to check the fact that a reply came from a similar IP address where the resolver sent the initial request. Reliance on the source IP is really not an efficient validation method because the source IP of any DNS reply can be fictitious or manipulated.

As initially designed, a resolver can’t identify a fictitious response to a query. Therefore, it is easy for a person with a malicious intent (an attacker), to pose as an authoritative server a resolver initially queried by masking the reply to make it appear that it is coming from the authoritative server. Simply put an attacker can refashion or redirect a particular user to a possible dangerous site without the user knowing. This clearly, was a cause for concern. Enter DNSSEC.

What is DNSSEC?

Slingshot to the 1990s, this problem associated with DNS was identified and engineers from the Internet Engineering Task Force (IETF), the unit tasked with DNS protocol, made a fix: Domain Name System Security Extensions (DNSSEC).

The role of DNSSEC is to fortify the authentication process in DNS by utilizing the function of what is called digital signatures. This is based on public key cryptography. DNSSEC doesn’t use DNS requests and replies by themselves however employs DNS data which is digitally signed by the owner.

How does DNSSEC work?

DNSSEC uses digital signatures which are attached to each participant involved in the transfers such as the domain, the DNS server and registry. DNSSEC when accessing a site, does 3 things.

  1. The browser of the visitor checks the DNS server that is applied to that domain.
  2. When the public signatures retrieved match with the ones issued at the registry level, the browser accepts the requests and resolves the site with its content.
  3. If there is a situation where the signatures are not matched, the site will not be accessible.

DNSSEC contributes two fundamental features to DNS protocol:

  1. The first is data origin authentication. This feature allows a resolver to verify (cryptographically), that the data received came from the sector where the data originated.
  2. The second is data integrity protection.This feature allows the resolver to know if there was a modification done to the data in transit after being signed by the owner with the owner’s private key.

Finally

Data security on the internet has become a popular topic with the advent and continuance of social media and increased web use. The importance of securing your data cannot be further stressed in this time of both. With that said, if you are a content creator/website owner, you will need the best data encryption to ensure that the data of your clients (if that is the nature of your website) and your company is safe. Selecting the right server client may not be that difficult. The most fundamental thing is to ensure that when it comes on to DNSSEC, your selected platform provides it and then some.