Tuesday, March 8, 2016

DNSSEC or Domain Name System Security Extensions

DNSSEC or Domain Name System Security Extensions is a set of security extensions of DNS or Domain Name System which ensures the DNS Clients that the DNS data they get from DNS Servers will be authentic.

Let's understand what this DNSSEC is actually.

What is DNS ?

When we want to visit a website, we simply type the URL of the website in the address bar of the browser and the webpage loads. We do not need to memorize the IP address of the website. This process is called Domain Name Resolution. And, the servers responsible for this are called DNS Servers.

When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. These DNS Servers are coordinated by ICANN or Internet Corporation for Assigned Names and Numbers. Normally, our computer uses a DNS Server which is used by our ISP or Internet Service Provider.

So, our computer makes a DNS query with the URL to the DNS Server and the corresponding DNS Server responds with proper IP address. And, using this IP address our browser opens the website in the browser.

Security concerns of DNS

In the early 1980's, when DNS was designed, there was not much considerations for security mechanisms in the protocol. Computers at that time were much less powerful, public key cryptography was a new concept and the network was much smaller with lesser number of relatively well-known people. Later, usage of internet increased dramatically, and DNS became vulnerable demanding for security mechanisms to be applied for it.

There are a couple of major security concerns for DNS :

  1. DNS Hijacking - Our computer opens a website using the IP address that the DNS Server has returned. In case of DNS Hijacking, an attacker changes the DNS settings in a computer, so that, whenever the computer makes a DNS query to resolve some IP address, a rogue DNS Server controlled by the attacker is contacted instead of the actual DNS Server used by our ISP. This normally happens when the computer is infected by a malware like DNSChanger Trojan. The malware infects a computer and then changes the DNS settings, replacing the authentic DNS Server with a malicious one.

As a result, the victim computer obtains a malicious IP address of attacker's website, instead of
the intended IP address and the browser ends up opening the malicious website.

More information on DNS Hijacking can be found here : DNS Hijacking

  1. DNS Cache Poisoning - DNS Cache is said to be poisoned when it stores a malicious entry instead of a valid one. For example, if we type google.com, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of google.com in its DNS Cache, with a time-stamp up to which the entry remains valid. Within that time, if we type google.com again, our computer will look at its DNS Cache for the entry.
In DNS Cache Poisoning attackers use some malicious tricks to make the computers store
malicious DNS entries containing IP address of malicious webpages controlled by the attackers,
so that the attackers can exploit that later.

More information on DNS Cache Poisoning can be found here : DNS Cache Poisoning

  1. When emails are transported from one mail server to another, the mail servers make DNS queries to get IP addresses of mail servers indicated in the corresponding emails. Attackers can even play their trickery there and make the mail servers forward sensitive emails to the attackers' servers instead, following which attackers can steal sensitive data contained in the emails.

    More information on this type of attacks can be found here : DNS Hijacking while transporting emails

The above list is not exhaustive though.

How DNSSEC enhances security of DNS

A DNS query is resolved in stages. For example, when a computer makes a DNS query for www.somewebsite.com, a query is first asked to root zone directory at the top level and then it asks .com directory service identified by root where to find information on .somewebsite.com. And finally, it asks the .somewebsite.example.com directory service identified by .com where to find the address for www.somewebsite.com.

DNSSEC security extensions adds a chain of digital signatures in the DNS hierarchy. It uses public key cryptography for that purpose.

Each level in the DNS hierarchy owns its own signature generating keys. And, each level signs the key of the level just below it.

So, that would mean, for the example of www.somewebsite.com above, root would sign .com's keys, .com would sign .somewebsite.com's keys and .somewebsite.com would sign www.somewebsite.com's keys.

Since, every key is validated by the one above it, data integrity of DNS data is maintained over the whole process of Domain Name Resolution and the DNS clients get only authentic DNS responses.

DNSSEC implementation is quite complex and its adoption is very slow. But, once it is implemented, internet will be much more secured.

This article intended to give the basic idea of DNSSEC. Hope you liked it.

No comments:

Post a Comment