DNSSEC technology is now available for all shared hosting clients. Now our clients are protected from the substitution of DNS queries and various attacks built on this.
A bit about DNS
Initially, the Domain Name System (DNS) was designed to create scalable distributed systems and for obtaining information about domains. In fact, it is a huge distributed database stored on the hierarchical structure of DNS servers. Thanks to DNS, we don’t need to remember IP addresses of our favorite sites, instead, we type symbolic names.
But if you replace some IP addresses with fake ones on one of the DNS servers, then all clients who access this server will end up on a malicious website. The specifics of DNS are such, that to carry out an attack is quite easy.
To speed up a work of exchanging information between DNS servers about a location of a any site, data is cached, but the accuracy of a received information was confirmed by a two-byte request identifier.
This vulnerability became known in 1990 thanks to Steve Bellinu, a development of methods of control has been carried out since the beginning of the 2000s, and since 2010, DNS (Domain Name System Security Extension, DNSSEC) extensions have been actively introduced.
A little bit about DNSSEC
The principle of DNSSEC is based on adding a digital signature of DNS servers responses, which guarantees the truth and integrity of the obtained data. However, the data itself is not encrypted. And for each record of information about the site is added a digital signature generated by a secret key. Thus, it is possible for everyone to check the data for truth, but to create a digital signature you need a secret key itself. It’s almost impossible for attackers to get it or generate it.
DNSSEC Features
- indirectly prevents DoS attacks
- protects against attacks on DNS servers, such as DNS cache poisoning
- guarantees integrity and truth of a data
- does not provide data confidentiality, i.e. does not encrypt data
- compatible with earlier versions of DNS
- some of the new zones (.indi) do not yet have digital signatures and the use of DNSSEC is meaningless
How to get DNSSEC
1) Create a free-form ticket in billing, indicating a domain where you need to connect the service.
2) In the Domains - Domain Names section, choose your domain and click the Edit button. Enable the Sign domain option. Domain zone signing is available to all panel users.
3) After signing your domain, transfer the DS records to the parent zone. All information about the keys basic parameters and their DNSKEY and DS entries is displayed on the DNSSEC Settings page: the Domains - Domain Names section — select a domain — the DNSSEC button. In order not to forget about the publication of records of the parent zone, enable notifications in the Settings - Mail Notifications section.