DNS Security Solution

DNS Security guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a "hidden attacker (man-in-the-middle)." These attacks usually go unnoticed by sites’ visitors, increasing the risk of phishing, malware infections, and personal data leakage.

DNS spoofing, also known as cache poisoning, is a type of computer security hacking in which corrupt data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result record. By itself, cache poisoning does not seem dangerous, but it is often the first step in a combination attack. It’s a very difficult attack to detect and to guard against, and the damage can be tremendous. When properly deployed, DNSSEC stops cache poisoning attacks because attackers can no longer impersonate authoritative name servers or spoof answers man-in-the-middle style, thus stopping the chain of attacks that follow.

In addition to stopping cache poisoning and other DNS-based attacks, DNSSEC also bolsters other features. Many organizations already publish anti-spam information such as SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) in DNS; many certificate authorities (CA) also require the use of CAA (Certificate Authority Authorization) record when issuing out new SSL/TLS certificates, as a second factor of authentication.

There are other security-related applications of DNS, as well: For example, you can publish the SSH fingerprint of SSH servers in DNS, so when a user logs in to a machine via SSH, she can verify she’s not being tricked to login to a different machine. You can also publish TLSA records, which contain information about your web server’s SSL/TLS certificate, and when someone visits your web site, he can verify that his HTTPS connection has not been hijacked, and the certificate he received over HTTPS matches the one you published in DNS. This all relies on the fundamental property of DNSSEC that we can verify the authenticity of the responding name server, and the integrity of the answer received.

Being able to authenticate DNS messages is a big step forward not just for DNS, but also for the Internet as a whole because this would be the first time we have a global database that is trust-worthy.