Domain Name System Security Extensions (DNSSEC)

What is DNSSEC?

DNSSEC stands for "Domain Name System Security Extensions." It is a security feature for the Domain Name System (DNS) that validates DNS information (e.g., IP address) of a domain name. By using cryptographic digital signatures, DNSSEC technology ensures that an end-user is accessing the actual website or other services corresponding to the domain name. In other words, DNSSEC prevents an attacker from redirecting end-users (at the DNS level) to a fake website or service. 

Why is DNSSEC important?

DNSSEC protects against 'man-in-the-middle' DNS spoofing attacks and 'cache poisoning' by ensuring DNS information is validated cryptographically before the DNS server redirects the end-user to the website.

When users access a website using its domain name, e.g., http://www.example.sg, the system's DNS resolver will first query for the IP address of the website. When the DNS resolver (e.g., ISP's resolver) makes its query, an attacker can trick the resolver into accepting a fake IP address. This is known as a 'man-in-the-middle attack.

Most DNS resolvers also cache the returned IP address to speed up responses for future queries for the same domain name, either from the same user or other users. Therefore, if an attacker has managed to trick the DNS resolver into accepting a fake IP address, the fake IP address is now cached by the DNS resolver. This attack is known as 'cache poisoning.' When other users make subsequent queries of the same domain (e.g., other users on the same ISP), the DNS resolver will redirect them to the fake IP address. This is because these other users received the cached and incorrect IP address instead of the legitimate website’s IP.

How does DNSSEC work?

DNSSEC uses cryptography signatures to create a "chain of trust." DNSSEC uses this "chain of trust" to validate that the information users receive originates from the correct DNS servers. If DNSSEC cannot validate the information, it discards the information. Thus, if users visit a DNSSEC-protected website and the DNS response is modified by a hacker (through a man-in-the-middle attack), the DNSSEC-aware DNS resolver or application can detect the fake information and discard it.

High-Level Explanation: (Chain of Trust)

Client queries for a DNS Record from its local recursive server.
Local recursive server retrieves DNS record along with public keys of authoritative server.
Local Recursive Server validates public keys of authoritative server through the DS record stored on the TLD server.
Local Recursive Server retrieves public keys for TLD server.
Local Recursive Server validates TLD server public keys through the DS record stored on the Root server.
Local Recursive Server retrieves public keys for Root server.
Local Recursive Server validate the Root server.
DNS query is returned once the servers have been all validated.

High-Level Explanation Full Description: (Chain of Trust)

Client queries for a DNS Record from its local recursive server.
Local recursive server retrieves DNS record along with public keys of authoritative server.
Local Recursive Server validates public keys of authoritative server through the DS record stored on the TLD server.
Local Recursive Server retrieves public keys for TLD server.
Local Recursive Server validates TLD server public keys through the DS record stored on the Root server.
Local Recursive Server retrieves public keys for Root server.
Local Recursive Server validate the Root server.
DNS query is returned once the servers have been all validated.

DNSSEC addresses security risks in the DNS protocol by adding authentication for responses received from DNS servers, preventing DNS spoofing, cache poisoning, and hijacking.

Hyperlinks

Adoption Statistics

Further information