DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
02 September 2011
Download Type: Adobe PDF
Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn’t working, then your business likely isn’t either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
Humans have always had difficulty remembering number sequences. Back in 1956, George Miller did some research on digit span recall tasks and found that humans are only able to hold seven plus or minus two items in memory. He concluded that even when more information is offered, the human memory system has the capacity to remember between five and nine chunks of information. Most people have a vocabulary of 10,000 to 30,000 words and some suggest that 500 to 1,000 of those are names. We’ve experienced words in place of numbers for years with the telephone system, especially 800 numbers, when a company spells out its product, name, or industry—like 1-800-EAT-SOUP.
It should come as no surprise that when the Internet was invented with all its
numbered Internet Protocol addresses, humans needed a way to translate those numbers into understandable names. The Domain Name System (DNS) was created in 1983 to enable humans to identify all the computers, services, and resources connected to the Internet by name. DNS translates human readable names into the unique binary information of devices so Internet users are able to find the machines they need. Think of it as the Internet’s phone book.
Now what would happen if someone changed your business name and matching phone book entry to his or her own? The phone book now lists “A. Crook,” an imposter who receives all of your calls and controls your number. Or, what if someone completely deleted your entry and no one could find you? That would really hurt business. What if that same situation happened to the domain name tied to your public website? An e-commerce site, at that! Either your customers won’t be able to find you at all or they will be redirected to another site that might look exactly like yours, but it is really A. Crook’s site. A. Crook happily takes their orders and money, leaving you with lost revenue, downtime, or any of the other myriad of issues organizations face when their web property is hijacked.
Security was not included in the original DNS design since at the time scalability— rather than malicious behavior—was the primary concern. Many feel that securing DNS would go a long way to securing the Internet at large. Domain Name System Security Extensions (DNSSEC) attempts to add security to DNS while maintaining the backward compatibility needed to scale with the Internet as a whole. In essence, DNSSEC adds a digital signature to ensure the authenticity of certain types of DNS transactions and, therefore, the integrity of the information.
• Origin authentication of DNS data.
• Data integrity.
• Authenticated denial of existence.