The Domain Name System (DNS) is like the phonebook for internet web addresses. While we look for websites based on their domain names, like facebook.com, a web browser identifies them through their Internet Protocol (or IP) addresses. A DNS performs a translation of a domain name into a set of numbers that represents its IP address. The web browser uses this address to find the particular server or computer on the internet where a website’s pages are located.
The DNS security, however, was not designed with security concerns at the forefront and contains some flaws that can make it easy for hackers to redirect DNS lookups for malicious purposes. For example, by intercepting a DNS request for a bank’s site which would normally send the user to their bank’s website login page, they send them to a fake page instead where they can steal the user’s login details when they attempt to log in.
In an attempt to mitigate these and other types of attacks the DNS Security Extensions (DNSSEC) protocol was established. It protects against attacks like the one described above by attaching a digital signature to transmitted data to ensure its validity. To make this system effective, a secure lookup of this signature must be performed at every level of a DNS lookup request.
The way the system works is analogous to the way people sign financial and legal documents to ensure that they are valid. Because human signatures are unique, an expert in verifying them can categorically state that a document was signed by a particular person. In the same way, a digital signature is a unique code that cannot be replicated and that can be used to make sure that data for a DNS lookup request has not been tampered with by a third party.
The DNSSEC protocol implements a signing policy that is hierarchical across all the layers of the DNS. When a user makes a request for a particular website, a root DNS server will create a digital key for the relevant nameserver and this nameserver would then also create a key that represents the authoritative address of the website’s server.
DNSSEC is designed to be backwards compatible with the existing DNS protocol to ensure that existing lookups will still find the correct website but in these cases the added security is not available. It is however compatible with SSL/ TLS security measures to provide overall security for Internet websites.
