Verizon Digital Media Services is happy to announce the general availability of Domain Name System Security Extensions (DNSSEC) support, as part of our industry-leading, integrated Domain Name System (DNS) solution.
The Need for DNS Security
DNS is a fundamental piece of internet communication. By translating easy-to-use URLs into the number-based IP addresses used by machines, DNS prevents users from having to memorize lengthy IP addresses. Without DNS, internet users would not be able to access websites using easy-to-remember domain names.
However, when the DNS protocol was originally conceived, it was designed primarily for scalability and simplicity. Security and authentication were given a lower priority, leaving the system susceptible to various attacks, such as cache poisoning, packet interception and server vulnerabilities.
One of these types of attacks, cache poisoning, poses a constant threat to DNS security. Since the original DNS specification does not verify the validity of replies to DNS queries, users were left exposed to forgery of DNS records by attackers. In a cache poisoning attack, attackers would attempt to compromise DNS servers to inject false records. These fraudulent DNS records would then be used to redirect users to a different IP address, preventing them from accessing legitimate websites and potentially leaving them exposed to other forms of attack.
Protection by DNSSEC
DNSSEC was developed to enhance the basic security set of DNS and provide some of the necessary, yet initially overlooked layers of security. The extension authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic.
How does DNSSEC work to bolster security?
When a DNSSEC-enabled client submits a request to a DNS server that supports DNSSEC, the client includes in the request a cryptographic signature key. One such key exists in the client resolver, while the other exists in the domain’s authoritative DNS server. The resolver then matches its signature to that of the authoritative DNS server. If the resolver is able to match up the signatures, it is assured that the response it received from the Authority has not been tampered with and returns the verified DNS record to the client.
The DNSSEC verification process provides users with three core benefits:
When implemented, this mechanism mitigates some key DNS security vulnerabilities such as cache poisoning and certain methods of man-in-the-middle attacks.
Implementation
Verizon implemented DNSSEC into ROUTE‘s secondary DNS solution, which allows us to integrate externally managed zones into our service. This is particularly useful for banks and other large enterprises who operate their own DNS zone and infrastructure, but wish to rely on a 3rd-party service, such as Verizon’s, for added resilience, performance and security.
Verizon’s secondary DNS provides two key functions:
DNSSEC is becoming more and more prevalent. Financial and government institutions are making DNSSEC a requirement, as issuing unsigned zones ignores a glaring hole in the Domain Name System, and leaves your systems open to various man-in-the-middle attacks. Moreover, the Office of Management and Budget (OMB) released a memo a number of years ago that made DNSSEC a requirement for .gov domains. The U.S. Defense Information Systems Agency has suggested it may follow suite with .mil domains.
By adding support for DNSSEC, Verizon is strengthening our commitment to providing you with a fast, reliable and secure DNS service. Customers in the financial industry, government sector or anyone else looking to take advantage of DNSSEC are now able to do so through Verizon’s ROUTE service.
Contact us to learn how our DNS offering may benefit your organization in providing a fast and secure web experience.
Nicholas Soegono, Associate Product Manager