DNSSEC makes internet safer
03 April 2018
Online spending increased by 13% in 2017, with € 22.5 billion in online sales. With that also the security. Many people now know that you have to pay attention to that security lock with the URL in the browser when you visit a website. But what if the URL, the lock and the site look normal and you are on a fake server? In this article we explain how DNSSEC prevents users from passing on their data to the wrong party.
DNS and IT-security
E-commerce, internet banking and online interaction continue to grow. That is why IT security is becoming increasingly crucial for both consumers and businesses. An unsafe website or a data breach? That will soon result in more than just reputational damage and loss of sales. Under the new European GDPR legislation companies can also be hit with substantial fines as of 25 May. IT security is therefore high on the list of priorities for many companies. An important point of attention is the DNS (Domain Named System). This is one of the most important building blocks of the internet.
The DNS functions as a sort of phone directory on the internet
It tells the browser where a website is located exactly. For example, the website of info.nl on the server with IP address 220.127.116.11. The browser then connects to that server and displays the website. However, the DNS does not verify that the IP address is correct and it also communicates unencrypted. As a result, malicious parties can ensure that you visit another IP address, which contains an exact copy of the website, including the security lock or a similar URL. The only difference is that all data you enter ends up with the wrong people or parties.
Unfortunately, fraud via the DNS - for example through DNS spoofing or cache poisoning attacks - is becoming more common. One of the most effective weapons against DNS attacks is to digitally sign the IP address with DNSSEC.
What is DNSSEC and how does it work?
DNS servers on the internet work together to get the browser to the server associated with the URL. In every contact there is a risk that the data will be manipulated. With DNSSEC, every response from a DNS server receives a digital signature. This proves that the answer obtained comes from the right source and has not been changed along the way. DNSSEC adds authentication and security on top of the DNS. But how does it work in practice?
DNSSEC in practice: chain of trust
Visiting a website happens in three steps:
- For example, you want to visit the website of info.nl, it starts with a request for .nl domains at the ICANN (Internet Corporation for Assigned Names and Numbers), an organisation that keeps the infrastructure of the internet stable and secure.
- You will be referred by the ICANN to the SIDN (Stichting Internet Domeinregistratie Nederland), a foundation that manages the .nl domains in the Netherlands. Then you ask SIDN for the location for the website of info.nl.
- The SIDN points your browser to the DNS server of info.nl. This is managed by an internet provider or by the company itself. This DNS server ultimately gives you the correct IP address so that you end up on the right website.
If DNSSEC is applied in every step, a 'chain of trust' is created. Each piece of information is verified by the various DNS servers. ICANN has been using DNSSEC since 2009 and SIDN has supported DNSSEC since 2012. It is now up to Internet providers such as Info.nl to become the third and final step in this 'chain of trust'. The Dutch government has made DNSSEC more or less mandatory for government domains.
For more information about how DNS actually works, please go here.
Starting with DNSSEC
Internet users do not notice anything about DNSSEC. It is primarily a 'technical' solution for a growing problem that fortunately not many consumers have had to deal with. For companies, DNSSEC is the next necessary step for doing business online.
For this reason, we will convert all .nl domains that info.nl manages into DNSSEC in the second quarter of 2018. As an info.nl customer you do not have to do anything. Currently, it is not yet possible to secure other domain extensions (.com, .org, etc.) with DNSSEC. The implementation of DNSSEC will not have a negative impact on the performance of our DNS servers. We have tested this extensively.