{"id":707,"date":"2020-02-11T05:02:28","date_gmt":"2020-02-11T05:02:28","guid":{"rendered":"https:\/\/leciir.com\/?post_type=blog_post&p=707"},"modified":"2020-02-14T14:12:19","modified_gmt":"2020-02-14T14:12:19","slug":"dns-security-a-brief-overview-of-dnssec","status":"publish","type":"blog_post","link":"https:\/\/leciir.com\/?blog_post=dns-security-a-brief-overview-of-dnssec","title":{"rendered":"DNS Security – A Brief Overview of DNSSEC"},"content":{"rendered":"\n

DNS offers an easy way to identify internet and\nprivate network-connected resources. With vulnerabilities in authenticity\nverifications, however, security is a concern. That’s where DNSSEC comes in.<\/em><\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

What is DNS?<\/strong><\/p>\n\n\n\n

The Domain Name System (DNS), as ARIN describes, uses domain names as user-friendly identifiers for computer-friendly IP addresses. For example, the www.LeCiiR.Com<\/a> domain name translates to a specific IP address, but both the name and the IP address identify the same website. The domain name is simply easier to remember and use.<\/p>\n\n\n\n

A domain name and associated DNS data is sorted and stored onto nameservers, which a user\/device uses to look up this data. This process is called DNS name resolution (ARIN).<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"Machine<\/figure><\/div>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

ICANN outlines the above-illustrated resolution process beginning with a command from a device, such as a user sign-in. This command is sent to the stub resolver, which is a part of the device’s operating system, thereby beginning the translation of a domain name to an IP address. The stub resolver then sends a query to the recursive resolver, which sends its own queries to multiple nameservers in order to respond to the stub resolver and, in turn, the user\/device command. <\/p>\n\n\n\n

DNS\nstructure is organized into zones<\/em>, which\nthen subdivide into “child” zones. These child zones must have the\nnecessary data to refer to other DNS servers, allowing a user to find the\ndomains within the parent zone. In other words, every parent zone must hold\nnameserver records for each of its child zones (ARIN). <\/p>\n\n\n\n

DNS,\nthough a crucial component of web operations, does come with its\nvulnerabilities.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

DNS Security Concerns<\/strong><\/p>\n\n\n\n

Cause for concern in DNS security often comes down to authenticity verification. When the recursive resolver sends its query to the nameserver, it cannot verify the authenticity of the response; it can only confirm whether the IP address that the response came from is in fact the same IP address to which it sent the query (ICANN). As a result, if the source IP address is altered by attackers, a response can appear as though it came from the desired nameserver, leading unsuspecting users to malicious sites.<\/p>\n\n\n\n

Recursive resolvers can also cache DNS data from nameservers. This way, when a stub resolver asks for data the recursive resolver has cached, the recursive resolver doesn’t need to send queries to the nameserver again, speeding up the overall resolving process. Though efficient, this means that an attacker who has manipulated a DNS response can easily poison this cache if the response is accepted by the recursive resolver (ICANN). With the fraudulent DNS data cached, the recursive resolver will continue to send it to the devices that query for it. <\/p>\n\n\n\n

To overcome these\nsecurity vulnerabilities, DNSSEC can be enabled.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

DNSSEC: The DNS Security Extension<\/strong><\/p>\n\n\n\n

With DNSSEC, DNS\ndata is signed by the zone owner. This digital signature acts as a private key\nwhich allows resolvers to verify that the data has not been modified before\ntransmitting it to the user (ICANN). If the data has been altered in any way,\nthe user will not receive the desired response from the resolver, thereby\nmitigating any threat.<\/p>\n\n\n\n

Each zone also has a\npublic key, visible to anyone in the zone itself.  When a user makes a data request, the\nrecursive resolver receives this public key to verify that the data actually\ncomes from the intended zone. If this signature can’t be verified, the resolver\nsends an error message to the user, rather than the requested data (ICANN). <\/p>\n\n\n\n

This added security\nand validation stretches beyond the zone to its parent and root zone. Simply\nput, a zone’s public key is always signed by its parent zone (for example, the org<\/em> zone of a .org domain), until the root\nzone is reached, which has no parent to sign its public key. As a result, a\nresolver that trusts a root zone’s public key can trust the public key of any\nzone’s signed, or authenticated, by the root zone. These authenticated zones go\non to sign public keys of child zones, creating a chain of trust (ICANN) and\nsecurity. <\/p>\n\n\n\n

The DNSSEC must be enabled at the recursive resolver and authoritative server level to ensure a user arrives at their intended online destination. Doing so requires a few simple steps, and at LeCiiR, we want you to Live Easy. So, for questions on this topic or any others, don’t hesitate to contact us<\/a>. <\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

References<\/strong><\/p>\n\n\n\n

ICANN, DNSSEC – What is it and Why is it Important?<\/a>\n2020.<\/p>\n\n\n\n

ARIN, Securing DNS (DNSSEC).<\/a> 2020. <\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Images: Pixabay<\/p>\n","protected":false},"excerpt":{"rendered":"

DNS offers an easy way to identify internet and private network-connected resources. With vulnerabilities in authenticity verifications, however, security is a concern. That’s where DNSSEC comes in. What is DNS? The Domain Name System (DNS), as ARIN describes, uses domain names as user-friendly identifiers for computer-friendly IP addresses. For example, the www.LeCiiR.Com domain name translates […]<\/p>\n","protected":false},"author":12,"featured_media":708,"comment_status":"open","ping_status":"closed","template":"","tags":[24,25,21],"blog-category":[],"_links":{"self":[{"href":"https:\/\/leciir.com\/index.php?rest_route=\/wp\/v2\/blog_post\/707"}],"collection":[{"href":"https:\/\/leciir.com\/index.php?rest_route=\/wp\/v2\/blog_post"}],"about":[{"href":"https:\/\/leciir.com\/index.php?rest_route=\/wp\/v2\/types\/blog_post"}],"author":[{"embeddable":true,"href":"https:\/\/leciir.com\/index.php?rest_route=\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/leciir.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=707"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/leciir.com\/index.php?rest_route=\/wp\/v2\/media\/708"}],"wp:attachment":[{"href":"https:\/\/leciir.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=707"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/leciir.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=707"},{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/leciir.com\/index.php?rest_route=%2Fwp%2Fv2%2Fblog-category&post=707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}