It’s no secret that as technology advances, so do the ways in which criminals find to extort domain owners. One of the most popular methods of attacking a website is through means of spoofing. As bad actors become more clever in devising ways to fool your online customers, you need to do everything in your power to prevent attacks like this from happening in the first place.
One such method is with Domain Name System Security Extensions (DNSSEC).
DNSSEC is a protocol designed to protect websites against attacks by securing DNS lookups. This protection is achieved through a hierarchical digital signing policy or chain of trust across all DNS layers. With DNSSEC enabled, each layer of the lookup process must be verified and signed before a query can be resolved.
In order for an attacker to successfully spoof a domain, they need to impersonate an authoritative nameserver and give the recursive resolver a forged answer. When this happens, the recursive server unwittingly accepts the forgery and sends the internet user that queried the site to a malicious website. Unfortunately, it doesn’t stop with just this one query. The recursive server actually caches the forgery and sends all users to the malicious site until the forged records expire. Needless to say, this can cause far-reaching problems for your domain—including loss of trust in your brand.
With DNSSEC implemented, servers are required to validate requests before taking any action. This is done through digital signatures that are based on public key cryptography. Each DNS zone for a domain with DNSSEC enabled has a public and a private key, which is used to sign or authenticate the DNS data for that particular zone.
If you’re unsure whether DNSSEC is right for you or would work with your unique configurations, contact our DNS specialists who will be more than happy to help.
Want to learn more about DNSSEC? Check out these resources:
Stay up to date on the latest DNS Made Easy resources and news