The Domain Name System (DNS) is essentially the "phone book of the Internet". It is what makes sites like antonmcclure.com, google.com, facebook.com, oracle.com, linkedin.com, medium.com, and the many other sites and web applications we use on a day-to-day basis resolve to their domain names. As more and more people use the Internet, more and more malicious people and groups will try and take advantage of this system.
Since the beginning, DNS used UDP packets rather than establishing TCP connections. While this comes with an increase in speed, it makes it easier for addresses to be spoofed. If the address is spoofed, the site you go to might not actually be the site you were looking for. If you wanted to do online banking, purchase a product, make investments, or anything online, you'd want to make sure that you're in the right place.
DNS Is Not Secure
The DNS system, designed in the 1980s, has no way to verify the response except by checking IP addresses, which is not a reliable method since these addresses can easily be spoofed.
An attacker can fake the authoritative servers and spoof the response for certain domains without the user even realizing it.
These attackers can also poison DNS cache on legitimate recursive resolvers by sending a forged DNS response. When a user tries accessing the site with a fake response cached, the domain will resolve to the fraudulent address.
DNS Security Extensions (DNSSEC), in comparison to DNS, is the "unspoofable Caller ID of the Internet", designed to add well-needed security to this system. It guarantees that web application traffic gets routed to the correct servers.
Some of the security benefits it provides include:
- Authenticating DNS data.
- Protecting data integrity.
- Authenticated denial of a domain's existence.
DNSSEC ensures that answers are digitally signed, and lets resolvers check if the information is identical to the info provided by the authoritative DNS server. For many internet users, protecting IP addresses and records is a concern. DNSSEC helps by providing that well-needed security for DNS.
Getting Your Domains Protected
DNSSEC is complicated, but that doesn't need to make it impossible for your domains to be secure. I use and recommend Cloudflare for their authoritative DNS servers (including security features and their CDN/Proxy) along with their offer for DNSSEC. The setup process was simple, and the benefits greatly outweighed letting users spoof responses or attempting to "self-host" the authoritative DNS server opening my server and others to various attacks.