Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

Download Now

To download this white paper you’ll need an Infosecurity Magazine account. Log in or sign up for yours below.

Log In

Sign Up

Get up-to-the-minute news and opinions, plus access to a wide assortment of Information Security resources that will keep you current and informed.

This will be used to identify you if you take part in out online comments.
Your password should be at least six characters long. It is case sensitive. Passwords can only consist of alphanumeric characters or ~!@#$%^&*()_-+=?.

By registering you agree with our terms and conditions and privacy policy.

Humans have always had difficulty remembering number sequences. Back in 1956, George Miller did some research on digit span recall tasks and found that humans are only able to hold seven plus or minus two items in memory.   He concluded that even when more information is offered, the human memory system has the capacity to remember between five and nine chunks of information. Most people have a vocabulary of 10,000 to 30,000 words and some suggest that 500 to 1,000 of those are names. We’ve experienced words in place of numbers for years with the telephone system, especially 800 numbers, when a company spells out its product, name, or industry—like 1-800-EAT-SOUP.

It should come as no surprise that when the Internet was invented with all its
numbered Internet Protocol addresses, humans needed a way to translate those numbers into understandable names. The Domain Name System (DNS) was created in 1983 to enable humans to identify all the computers, services, and resources connected to the Internet by name. DNS translates human readable names into the unique binary information of devices so Internet users are able to find the machines they need. Think of it as the Internet’s phone book.

Now what would happen if someone changed your business name and matching phone book entry to his or her own? The phone book now lists “A. Crook,” an imposter who receives all of your calls and controls your number. Or, what if someone completely deleted your entry and no one could find you? That would really hurt business. What if that same situation happened to the domain name tied to your public website? An e-commerce site, at that! Either your customers won’t be able to find you at all or they will be redirected to another site that might look exactly like yours, but it is really A. Crook’s site. A. Crook happily takes their orders and money, leaving you with lost revenue, downtime, or any of the other myriad of issues organizations face when their web property is hijacked.

Security was not included in the original DNS design since at the time scalability— rather than malicious behavior—was the primary concern. Many feel that securing DNS would go a long way to securing the Internet at large. Domain Name System Security Extensions (DNSSEC) attempts to add security to DNS while maintaining the backward compatibility needed to scale with the Internet as a whole. In essence, DNSSEC adds a digital signature to ensure the authenticity of certain types of DNS transactions and, therefore, the integrity of the information.

DNSSEC provides:
• Origin authentication of DNS data.
• Data integrity.
• Authenticated denial of existence.