Verizon Digital Media Services is happy to announce the general availability of Domain Name System Security Extensions (DNSSEC) support, as part of our industry-leading, integrated Domain Name System (DNS) solution.

The Need for DNS Security

DNS is a fundamental piece of internet communication. By translating easy-to-use URLs into the number-based IP addresses used by machines, DNS prevents users from having to memorize lengthy IP addresses. Without DNS, internet users would not be able to access websites using easy-to-remember domain names.

However, when the DNS protocol was originally conceived, it was designed primarily for scalability and simplicity. Security and authentication were given a lower priority, leaving the system susceptible to various attacks, such as cache poisoning, packet interception and server vulnerabilities.

One of these types of attacks, cache poisoning, poses a constant threat to DNS security. Since the original DNS specification does not verify the validity of replies to DNS queries, users were left exposed to forgery of DNS records by attackers. In a cache poisoning attack, attackers would attempt to compromise DNS servers to inject false records. These fraudulent DNS records would then be used to redirect users to a different IP address, preventing them from accessing legitimate websites and potentially leaving them exposed to other forms of attack.

Protection by DNSSEC

DNSSEC was developed to enhance the basic security set of DNS and provide some of the necessary, yet initially overlooked layers of security. The extension authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic.

How does DNSSEC work to bolster security?

When a DNSSEC-enabled client submits a request to a DNS server that supports DNSSEC, the client includes in the request a cryptographic signature key. One such key exists in the client resolver, while the other exists in the domain’s authoritative DNS server. The resolver then matches its signature to that of the authoritative DNS server. If the resolver is able to match up the signatures, it is assured that the response it received from the Authority has not been tampered with and returns the verified DNS record to the client.

The DNSSEC verification process provides users with three core benefits:

• Origin Authentication of Data: This feature further validates authority sources, making it harder for malicious third parties to implement man-in-the-middle attacks.
• Data Integrity: In this process, records are cryptographically signed. If they were modified during the master/secondary zone, it will show up when resolving a record.
• Authenticated Denial of Existence: If a query has no data, authoritative servers can provide a response, which proves that no data exists.

When implemented, this mechanism mitigates some key DNS security vulnerabilities such as cache poisoning and certain methods of man-in-the-middle attacks.

Implementation

Verizon implemented DNSSEC into ROUTE‘s secondary DNS solution, which allows us to integrate externally managed zones into our service. This is particularly useful for banks and other large enterprises who operate their own DNS zone and infrastructure, but wish to rely on a 3rd-party service, such as Verizon’s, for added resilience, performance and security.

Verizon’s secondary DNS provides two key functions:

• Initial zone transfer: This process is initiated when a customer creates a secondary zone within ROUTE. Once that secondary zone has been created, data from the master name server is transferred to the newly created secondary zone (via the AXFR zone transfer protocol). A read-only copy of the newly transferred zone is created within ROUTE, along with glue records for our vanity name servers. Our route transfer system will then deploy the secondary zone to our globally distributed Route name servers. From this point, DNS queries are directed to our ROUTE name servers.
• Zone synchronization: This process is what keeps the secondary zone up-to-date with the master zone. The route transfer system queries the master zone every 120 seconds. If there are any changes, the route transfer system takes those changes and pushes them out to the appropriate route name servers.

DNSSEC is becoming more and more prevalent. Financial and government institutions are making DNSSEC a requirement, as issuing unsigned zones ignores a glaring hole in the Domain Name System, and leaves your systems open to various man-in-the-middle attacks. Moreover, the Office of Management and Budget (OMB) released a memo a number of years ago that made DNSSEC a requirement for .gov domains. The U.S. Defense Information Systems Agency has suggested it may follow suite with .mil domains.

By adding support for DNSSEC, Verizon is strengthening our commitment to providing you with a fast, reliable and secure DNS service. Customers in the financial industry, government sector or anyone else looking to take advantage of DNSSEC are now able to do so through Verizon’s ROUTE service.

Contact us to learn how our DNS offering may benefit your organization in providing a fast and secure web experience.

Nicholas Soegono, Associate Product Manager