Have I Reached the Party to Whom I am Speaking?
When it comes to the Internet, making sure you reach the right party can be a problem. Much like a telephone operator, the DNS works behind the scenes to translate names into IP addresses for services on the Internet.
Today’s DNS infrastructure cannot guarantee the answers the DNS system provides. Attackers can insert spoofed information into DNS responses, reroute requests to bogus name servers, and redirect DNS resolvers and email clients to servers under their control, leaving your organization vulnerable to a wide variety of fraudulent activities.
To address these problems and secure the critical name-to-address mapping function of DNS, a specification called DNSSEC (DNS Security Extensions) was developed. It is an extension to the DNS that can:
- Validate that a DNS response was sent by the source claiming to send it (authentication)
- Determine whether a DNS response has been tampered with (data integrity)
- Verify that a DNS record does not actually exist when a response is returned as unresolvable
In this whitepaper, we discuss the security vulnerabilities in the current DNS infrastructure. We then examine DNSSEC and how it can benefit organizations and the services that rely on the DNS.