Skip to main content

DNS Security Extensions

aliases:

  • DNSSEC

A spoofing and poisoning mitigation toolset via DNS request validation.

When DNSSEC is enabled, the authoritative server for the zone creates a set of resource records called an RRset. The RRset is signed with a private key called the Zone Signing Key. When another DNS server asks for an information exchange, the DNS server sends that information along with it's public key, which is used to verify that information. That public key, however, is signed using a separate Key Signing Key. All these keys are made so that in-case the very important ZSK gets compromised, it can immediately be revoked to mitigate the potential damage.

KSKs are validated by the parent domain or the host ISP. The domain trusts of the TLDs are validated by Regional Internet Registries, and the root DNS servers are self-validated, using MofN-Control group key signing. This establishes a chain of trust, from the root servers to any specific subdomain.

DNS Client Security

When DNSSEC validates a nameservers records, DNS client security requires transport encryption to prevent on-path attacks tampering with DNS queries.

  • DNS over TLS (validates the resolver nameservers digital certificate; 853/tcp)
  • DNS over HTTPS (encrypts DNS traffic by wrapping them in HTTPS packets; 443/tcp)
Back to top