DNSSEC stands for "Domain Name System Security Extensions." It is a security feature for the Domain Name System (DNS) that validates DNS information (e.g., IP address) of a domain name. By using cryptographic digital signatures, DNSSEC technology ensures that an end-user is accessing the actual website or other services corresponding to the domain name. In other words, DNSSEC prevents an attacker from redirecting end-users (at the DNS level) to a fake website or service.
DNSSEC protects against 'man-in-the-middle' DNS spoofing attacks and 'cache poisoning' by ensuring DNS information is validated cryptographically before the DNS server redirects the end-user to the website.
When users access a website using its domain name, e.g., http://www.example.sg, the system's DNS resolver will first query for the IP address of the website. When the DNS resolver (e.g., ISP's resolver) makes its query, an attacker can trick the resolver into accepting a fake IP address. This is known as a 'man-in-the-middle attack.
Most DNS resolvers also cache the returned IP address to speed up responses for future queries for the same domain name, either from the same user or other users. Therefore, if an attacker has managed to trick the DNS resolver into accepting a fake IP address, the fake IP address is now cached by the DNS resolver. This attack is known as 'cache poisoning.' When other users make subsequent queries of the same domain (e.g., other users on the same ISP), the DNS resolver will redirect them to the fake IP address. This is because these other users received the cached and incorrect IP address instead of the legitimate website’s IP.
DNSSEC uses cryptography signatures to create a "chain of trust." DNSSEC uses this "chain of trust" to validate that the information users receive originates from the correct DNS servers. If DNSSEC cannot validate the information, it discards the information. Thus, if users visit a DNSSEC-protected website and the DNS response is modified by a hacker (through a man-in-the-middle attack), the DNSSEC-aware DNS resolver or application can detect the fake information and discard it.
DNSSEC addresses security risks in the DNS protocol by adding authentication for responses received from DNS servers, preventing DNS spoofing, cache poisoning, and hijacking.