Google announced this week that they have enabled Domain Name System Security Extensions (DNSSEC). This is essential for ensuring that DNS queries are directed to the real web site. With this in place Google is now checking the digital signatures on DNSSEC formatted messages. Currently 7% of the volume of all the queries Google handles use DNSSEC and the volume is expected to grow as more and more organizations implement DNSSEC to secure traffic to their sites.
Without DNSSEC it is possible to hijack traffic from an internet resolver by fooling it to store a false IP Address in place of the real one. This is called cache poisoning. Requests directed to a site after the poisoning are instead directed to a fake site. Not a good thing if I am buying something or think I’m going to my bank or mortgage company.
Domain Name System Security Extensions is a set of IETF (Internet Engineering Task Force) standards outlined in RFCs 4033, 4034, and 4035. Its purpose is to create a way to verify the information that is stored on the thousands of DNS Resolvers around the world. With DNSSEC, Internet users can know with certainty that the DNS response received is the DNS response that was sent by the intended site, and it has not been altered in transit. DNSSEC eliminates threats from cache poisoning and pharming attacks. Without it, there is a much higher risk of fraud, loss of confidentiality, and identity theft. DNSSEC deployment is critical for financial institutions, government agencies, and security-conscious enterprises doing business on the Internet or securing internal networks.
DNSSEC protects DNS clients (such as web browsers and mail clients) from forged DNS data. If an attacker attempts to alter any part of the DNS resolution process, then a DNSSEC aware client can detect the altered response. This allows the DNSSEC aware client to detect with certainty when this has happened. Not all browsers are DNSSEC aware. Chrome has supported this since version 14. On other browsers, an extension must be added to support DNSSEC. Some browser don’t yet support DNSSEC.
ICANN tracks the implementation of DNSSEC by Top Level Domain (TLD) (ie .com or .org…) and reports that information on their site. They also have a great map that shows which countries have enabled DNSSEC on their country TLDs.
Secure64 was the first company to offer a commercial application to support DNSSEC. We can assist in getting set up quickly to protect the traffic to crucial sites. For more information in implemented DNSSEC please visit our site.