DNSSEC explained: Why you might want to implement it on your domain

The Domain Name System Security Extensions provide cryptographic authentication to prevent redirection to rogue websites, but owners of many domains have yet to adopt it.

padlock / Domain Name System / DNS / ICANN / security
Alpesh Ambalal Patel / Getty Images

DNSSEC definition

The Domain Name System Security Extensions (DNSSEC) is a set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. Its goal is to defend against techniques that hackers use to direct computers to rogue websites and servers. While DNSSEC has already been deployed for many of the generic and country-level top-level domains (TLDs), adoption at the individual domain level and end-user level has lagged behind.

What is DNS spoofing and hijacking?

In 2008, security researcher Dan Kaminsky discovered a fundamental flaw in the DNS protocol that impacted the most widely used DNS server software. The flaw allowed external attackers to poison the cache of DNS servers used by telecommunications providers and large organizations and force them to serve rogue responses to DNS queries, potentially sending users to spoofed websites or rogue email servers.

That flaw was patched in what was the largest coordinated IT industry response to a security vulnerability up to that time, but the threat of DNS hijacking attacks remained. Since DNS traffic was not authenticated or encrypted, any attacker taking control of a DNS server in a user's DNS resolution path could serve malicious responses and redirect them to a malicious server -- a man-in-the-middle scenario.

To continue reading this article register now

The 10 most powerful cybersecurity companies