Domain Name System Security Extensions (DNSSEC) adds security to Domain Name Server (DNS) systems. More specifically, it can help prevent DNS poisoning attacks.
DNS servers host data in zones. You can think of a zone as a database with multiple records. Some common records in a DNS zone are:
- A record (also called a host record). This record holds the host name and IPv4 address assigned to the host. A DNS client queries DNS with the name using a forward lookup request, and DNS responds with the IPv4 address from this record.
- AAAA record. This record holds the host name and IPv6 address. It’s similar to an A record except that it is for IPv6.
- PTR record (also called a pointer record). The PTR record is the opposite of an A record. Instead of a DNS client querying DNS with the name, the DNS client queries DNS with the IP address. When configured to do so, the DNS server responds with the name. PTR records are optional, so these reverse lookups do not always work.
- MX record (also called mail exchanger). An MX record identifies a mail server used for email. The MX record is linked to the A record or AAAA record of a mail server.
- CNAME record (also called a canonical name, or alias). The CNAME record allows a single system to have multiple names associated with a single IP address. For example, a server named Server1 in the domain getcertifiedgetahead.com might have an alias of FileServer1 in the same domain.
- SOA record (also known as the start of authority record). The SOA record includes information about the DNS zone and some of its settings. For example, it includes the TTL (Time to Live) settings for DNS records. DNS clients use the TTL setting to determine how long to cache DNS results. TTL times are in seconds and lower times cause clients to renew the records more often.
Clients query a DNS server, typically by sending the name of a host.
If the DNS server has the A or AAAA record within one of its zones, it replies with the IP address.
If the DNS server doesn’t have the record, it queries other DNS servers to obtain the IP address. It then replies to the client with the IP address.
This process is dependent on knowing that the IP address included in the reply is the true IP address of the host.
In some DNS poisoning attacks, attackers modify the DNS cache stored on a server with a different IP address.
Successful DNS poisoning attacks can cause users to visit malicious sites when they attempt to visit a known site.
As an example, imagine a user attempts to visit google.com. If an attacker modifies the DNS cache on a system, DNS can send the user to hackerwantsyourmoney.com
DNSSEC and RRSIG
The primary method DNSSEC uses to provide data integrity for its responses is with a Resource Record Signature (RRSIG). Responses from DNSSESC protected zones include the RRSIG.
The RRSIG is similar to a digital signature used in email. As an example, imagine that Sally sends Joe an email. the digital signature provides two important services.
- It authenticates the sender. In other words, Joe knows that Sally sent the email.
- It verifies the integrity of the email. The digital signature is created from a hash of the email. If the email is modified, the digital signature breaks indicating that the email has lost integrity.
The RRSG provides the same two services.
- It authenticates the DNS server that sent the response.
- It also validates the integrity of the DNS record sent in the response.