What is DNSSEC and why it is important for your website
12:42, 06.04.2022
DNSSEC is a DNS security extension designed to reduce attacks aimed at spoofing IP addresses. Simply put, it increases the security of DNS authentication by using digital signatures based on public-key cryptography.
DNSSEC technology is used to validate two important aspects of DNS:
- Data source authenticity. The resolver uses cryptography to track all incoming data and determine where it came from.
- Data integrity. If the data has been altered in any way, the resolver will detect this and respond with an error.
Thus, the widespread implementation of DNSSEC technology allows for serious protection on the Internet. Currently, network operators have to do this manually. Network operators on their recursive resolvers, and domain owners on their own.
What are the benefits of using DNSSEC?
The need to implement the extension is due to the fact that the DNS protocol itself has no security. In the 1980s, when it was first developed, security was not a priority, so the ability to authenticate responses from an authoritative DNS server is not provided. All that the resolver can do is check the IP address to verify its authenticity. This is not enough in today's reality, as modern rogue techniques are quite capable of forging and spoofing the source IP address.
Cybercriminals exploit this vulnerability by posing as an authoritative server, which allows them to redirect users to potentially malicious sites with illegal and forbidden content. DNSSEC also helps protect the server from spoofing and cache-damaging attacks.
What you need to log on to the Internet with the DNSSEC protocol
It is easy to set up domain protection using the DNSSEC protocol extension. To do so:
- Add DNS resource records that are associated with DNSSEC.
- Publish DNS resource records for the domain.
For Google Domains, it's pretty quick and easy. You need to log in to your account, select the desired domain and go through the menu to the section with DNS. Here you need to activate the set DNSSEC at the very bottom. After this, the zone will automatically receive a signature, and after a day the changes will take effect.
For all other domain name servers, the algorithm may be different, so we recommend contacting your service provider with this question. Thank you for your attention!