In a previous article, we discussed the importance of the Domain Name System (DNS), a hierarchical structure that works like a “phone book” for the Internet, converting IP addresses of connected computers into easier-to-remember forms we know as domain names (and vice versa).
We also discussed DNSSEC (Domain Name System Security Extensions), a set of extensions for the original DNS specification designed to make it harder for criminals to execute cyberattacks like DNS Spoofing, which may harm users, whether individuals or companies.
In this article, we will talk about how DNSSEC works on Azion’s Edge Computing Platform and how you can enable it to add an extra layer of protection for your websites and applications.
The DNSSEC FAQ
How Does DNSSEC Work?
In short, DNSSEC solves one of the biggest issues with the original DNS specification: there is no way to authenticate the responses from a server. This opens the door for attacks such as DNS Spoofing, where an attacker can impersonate a server and deliver a response with false data about a domain, such as a different IP address, redirecting traffic to servers under their control.
DNSSEC solves this by signing responses from compatible servers with a cryptographic key. By comparing signatures, it is possible to authenticate a response, making it difficult for an attacker to manipulate information.
It is worth mentioning that DNSSEC does not implement data encryption: data continues to flow in clear text. An analogy is a document with a notarized signature: the signature alone guarantees the document’s authenticity, but does nothing to protect its content.
This diagram shows how DNSSEC works to prevent an attacker from hijacking a DNS response.
Image: Azion Technologies.
Is the Azion Edge Computing Platform Compatible With DNSSEC?
Azion’s Edge Computing Platform is compatible with the DNSSEC specification, supporting its use on websites and applications accelerated by our services.
Keep in mind that in order to enable DNSSEC, your Top-Level Domain (TLD) registry must support it. Also, your zone must be configured with DNSSEC-related resource records (see below), and DNSSEC must be enabled in your domain registry.
How Much Does It Cost To Enable DNSSEC?
There is no cost associated with enabling and using DNSSEC on Azion’s platform. This feature is provided for free to subscribers of our Intelligent DNS service.
Is There a Performance Overhead Associated With DNSSEC?
No. Both data and cryptographic keys can be cached, thus preserving the high performance of the DNS service.
What Is Needed To Host a DNSSEC Zone With Azion?
To enable signature verification, DNSSEC requires the administration of new Resource Records (RR), in addition to those already in use:
- DNSKEY contains the public key to be used in the verification.
- DS (Delegation Signer) contains the HASH of a DNSKEY record. This record is used by recursive DNS servers to verify the authenticity of the DNSKEY itself.
- RRSIG contains the digital signature of a record.
- NSEC and NSEC3 enable the non-existence response of a queried record, known as authenticated denial of existence, preventing a malicious actor from falsifying a non-existent address response.
Each DNS zone has a public/private key pair. The zone’s private key is used to sign DNS data in the zone and generate digital signatures on that data. The private key is kept secret, and the public key is available in the DNS zone itself for anyone to retrieve.
In addition, the following information will be provided by Azion so you can proceed with DNSSEC activation at the registrar responsible for your domain.
- Public key (DS).
- The cryptographic algorithm used in key generation.
- Address of DNS servers.
Please refer to our documentation for detailed, step-by-step instructions on how to host a DNSSEC zone directly on the Azion platform.
General Recommendations And Considerations Regarding DNSSEC
- Before enabling DNSSEC, make sure that it is supported by the TLD registry.
- A few days before the scheduled change, we recommend you to reduce the TTL (Time To Live) of the DNS zone to be transferred. We suggest using a TTL of a few minutes in the DNSSEC records (DS and DNSKEY) in order to enable a quick recovery in case of need.
- For the new settings to become effective, wait for a new publication by those responsible for the TLD.
- Effective propagation and global visibility of the change may take a few days, as it depends on updating the cache of resolvers administered by third parties.
Conclusion
By enabling DNSSEC in your infrastructure’s DNS resolution process, you protect against threats such as DNS Spoofing. To find out more about how Azion’s services can help you raise the level of security offered to your users and your organization, contact our experts.