Domain Name System Security Extensions (DNSSEC) allows the registrant of the Domain Name System. Registrants can digitally sign information into the Domain Name System (DNS), helping to secure the Domain Name System (DNS) data transmitted through Domain Name System security extensions. on the Internet (DNSSEC). This protects the Domain Name System (DNS) service user by ensuring that the data in the domain name system is corrupted. Either accidentally or by a malicious person will not be able to access the domain name system service user.
Background of DNSSEC Implementation
DNS was designed in the 1980s when the Internet was much smaller and security was not a priority in system design at the time. also trusted server name With Authoritative Name Servers, resolvers have no way to validate responses. Resolvers can only check for responses that appear to be from the same IP address as the query ( Resolvers) Send the original query to the previous one.
But relying on the response's source IP address is not a strong authentication mechanism. Because the source IP address of the DNS response packet can be easily spoofed or spoofed, since DNS was originally designed, resolvers cannot easily detect a spoofed response to any question. one A domain name system attacker (DNS Attacker) can impersonate a trusted server. (Authoritative Server) where query (Resolvers) originally had spoofing responses that appeared to come from a trusted server. In other words, attackers can redirect users to potentially dangerous websites without their knowledge.
Engineers at the Internet Engineering Task Force (IETF), the organization responsible for DNS protocol standards, have long realized that the lack of tighter authentication in DNS is a major problem. Work on a solution to this problem began in 1990 and the result was DNSSEC Security Extensions (DNSSEC).
DNSSEC will strengthen the authentication of DNS data using digital signatures based on public key cryptography with DNSSEC it is not DNS queries and responses manually. But the DNS data itself must be signed by the owner of the data. Every DNS Zone has a public key and private key pair. The Zone Owner uses the zone's private key. to sign DNS data in a zone and create a digital signature on it. according to the meaning of the name "Private Key". The contents of this key are kept secret by the zone owner. However, the zone's public key is published in the zone itself. so that everyone can retrieve the information.
Recursive resolvers that look up information in a zone retrieve the zone's public key. This is used to verify the integrity of DNS information. If the resolvers confirm that the digital signature on the retrieved DNS data is valid, the correct DNS information is returned to the user. If the signature cannot be authenticated, the resolvers are treated as an attack and reject the information. After that it returns an error prompt to the user.
Benefits of Implementing DNSSEC
- Help protect DNS communication between the Internet. End users, companies, organizations and governments
- Reduces the vulnerability to DNS attacks that can lead to DNS spoofing and alteration of routing information.
- Promotes DNSSEC innovation, monitors and protects DNS data, enabling data to be trusted in applications beyond DNS.
DNSSEC Activation Operation
To enable DNSSEC, you need to have both enabled settings:
- Registrants are the person responsible for distributing the registered domain name system (DNS) information. the security of the domain system or DNSSEC-signed
- Network operators are Internet network operators or web server service providers. This requires DNSSEC validation to be enabled on the DNS resolver that handles DNS lookups for users.
For customers who use web hosting services and domain names with DATATAN.NET. Those who wish to enable DNSSEC feature for your domain name system You can inform us to help you set up via email address email@example.com or Support Ticket System