Internet Identity

Part of IID's DNS Dojo Series

When an Internet user attempts to navigate to a particular website or to send an email to a particular address, the Domain Name System pairs up the domain they type with the IP address which serves as the website or email server’s actual location online. The DNS makes that connection by acting as the Internet’s address book. Domain Name System Security Extensions, or DNSSEC, is a way of cryptographically signing DNS information, much like a PGP signature signs email or a digital certificate identifies a website. DNSSEC creates a signature that identifies the legitimacy of the DNS configuration and tells a user’s software that it’s communicating with the intended destination.

Different signing mechanisms use various methods to establish “trust” regarding signatures. PGP uses key signing parties where individuals meet and literally verify and sign each other’s keys, while digital certificates rely on certificate authorities for their credibility. DNSSEC uses the DNS itself to establish trust. To establish this trust, DNSSEC uses digital signatures at the DNS level to authenticate the identity of domains and hostnames—that is, it verifies that the DNS has not been tampered with or altered in a way that would return a site other than the legitimate site requested in a lookup. With this assurance, Internet users can visit a given website with confidence that their browser has resolved the actual site for viewing. Because DNS entries using DNSSEC are cryptographically signed, they can’t be forged, though domains can still be hijacked through social engineering schemes or by directly taking control of the authoritative name servers. Even given the possibility of hijacking through social engineering, the protections DNSSEC provide are significant and make the process of implementation worthwhile.

Who should implement DNSSEC?

Anyone who has a domain where information exchange matters should implement DNSSEC. These websites would include those that collect information either at login or within their site—email providers, banks, social networks and others. But even that’s not enough. Organizations need to insist that anyone accessing their domain is validating the DNS lookups they make against it with DNSSEC. For instance, if you’re a payment processor exposing a web-based API, you should insist that your customers validate lookups of the hostname (e.g. api.yourhostname.com) with DNS software that implements DNSSEC. If you’re exchanging email that could be damaging if inadvertently delivered to the wrong party, you should not only insist that people who are sending you email use DNSSEC-aware mail transport software, you should insist that they implement DNSSEC, and you should use DNSSEC-aware email transport software yourself.

DNSSEC is no silver bullet

What if I’m using DNSSEC to validate my domain name and someone I connect to—an extended enterprise partner, or the ISP of a customer for example—doesn’t validate? Does DNSSEC still offer me, my employees and my customers any security? Unfortunately, for this partner or ISP, the answer is no, it doesn’t. If my domain is signed but a particular partner isn’t validating the responses, then their lookups of my DNS information won’t be authenticated with DNSSEC. Because DNSSEC relies on both publication and resolution of the digital signatures, the absence of one side of the equation makes it as if DNSSEC isn’t there at all. That doesn’t add any additional issues, but is no safer than a zone that doesn’t sign at all, and eliminates the safeguard of a DNSSEC-aware browser that would refuse connection to a domain whose DNS is known to have been tampered with. The same is of course true in reverse—if your partner signs his domains, but you don’t validate them, you’ll be no better off than if he didn’t sign them at all. In an extended enterprise partner scenario, the goal would be to have both partners publishing DNSSEC records, and also validating responses on their recursive servers to truly “lock down” DNS queries.

Even as DNSSEC becomes more widely employed, it may be premature for your organization to expect all extended enterprise partners to be both publishing DNSSEC records and validating responses. It’s certainly a worthwhile goal to continue working toward that, but in the meantime monitoring DNS configurations and resolutions for unexpected changes is a crucial tool for thwarting DNS hijacking attempts. But monitoring your own DNS is only part of the battle against cybercriminals utilizing the domain name system—it’s a much bigger undertaking that involves most likely dozens if not hundreds of partners. We’ll delve deeper into the communications that take place between extended enterprise partners and the importance of monitoring the DNS of your own enterprise and theirs in the next DNS Dojo post in a couple weeks. See you then!