Why your company should consider implementing DNS security extensions – TechRepublic

Why your company should consider implementing DNS security extensions
Your email has been sent
The domain name system resolves domain names to IP addresses. DNS security extensions can validate the integrity of the chain of trust, ensuring that users are visiting the correct website.
Domain name system security extensions (DNSSEC) is a protocol for securing the chain of trust that exists between the domain name system (DNS) records that are stored at each domain level, verifying each trust between the child level and its parent, all the way back to the root zone. Through this multi-level process, the integrity of the DNS records associated with a domain can be verified, thus ensuring to the client that the website or service requested and the one delivered are in fact, one and the same.
This article gives a brief explanation of how DNSSEC works and why your company should consider implementing it.
To demonstrate, let’s consider that our website is hosted as test.themacjesus.com.
The first step in the process requires the “.com” name servers to verify the records for “themacjesus” (in a parent-child relationship). Second, “themacjesus” verify the records for “test” (also in a parent-child relationship). Third, the root DNS servers verify the .com records. Lastly, the records published by the root have their integrity verified using a private-public key pair, called a Zone Signing Key (ZSK). Additionally, a secondary key pair called the Key Signing Key (KSK) is used to validate the ZSK.
Just like DNS, DNSSEC is invisible to the user. However, in the background, the security extensions work by effectively signing the root zone for your domain, with each subsequent record requiring verification from its parent until the site being requested has been validated.
SEE: Network security policy (Tech Pro Research)
Accessing validated websites and services is the aim of security extension-enabled DNS services. The goal here is to reach the intended servers hosting those sites or services. As far as protection goes, it ensures against malicious URLs designed to impersonate a site or service for the purpose of harvesting account names and passwords. This could come in the form of a maliciously injected record during a man-in-the-middle attack or as part of a known vulnerability, such as DNS-cache poisoning or spoofing attacks. In either case, DNSSEC will reply with a 404 error (website not found) in the event that a domain does not resolve due to DNS records that can’t be validated.
Administrative overhead in the form of creating and managing additional records for each domain to be protected by DNSSEC can be both time consuming and costly depending on the number of domains. The scope can grow exponentially if additional services require coverage, such as MX records for email servers. Speaking of MX records, there are known issues that occur during MX record lookups protected by DNSSEC and versions of Microsoft Exchange 2013 and earlier, which can result in errors.
The configuration of sites that are set up for DNSSEC must be error-free. Any errors during the configuration process, such as misspellings, will likely yield records that do not match the domain it is protecting. In such cases, domain validation will fail and the website or service will not be resolved when requested.
DNSSEC provides integrity as part of the CIA security triad–it neither provides confidentiality nor availability of data. DNSSEC also does not protect against Distributed Denial of Service (DDoS) attacks. While these are not really limitations of the DNSSEC suite, it is still good to know, as it is sometimes incorrectly assumed that DNSSEC does provide these protections.
DNSSEC will provide your organization and its users the peace of mind that the websites and services they use on a daily basis to accomplish their work are legitimate and not some malicious threat actor posing as such to obtain credentials and data from your company. By serving as a system of checks that span through the multi-level domains all the way back to the root DNS servers, the chain of trust between each link can be verified to ensure that communications being established between websites and services online and your organization have been vetted thoroughly and have had their integrity validated end to end.
SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)
Enabling DNSSEC for your organization’s DNS servers is generally a multi-step process that, while not complicated, will vary depending on your domain’s registrar, the top-level domain (TLD) extension for your site, and the nameservers’ configuration, whether managed internally or by a 3rd-party.
Some managed solutions, like CloudFlare, essentially allow DNSSEC to be enabled through several clicks of a mouse for users who utilize its fully managed DNS services. For self-managed nameservers, there is more to the configuration and setup that may require specific information to correctly implement DNSSEC. While a generalized setup is covered below in setting up DNSSEC, organizations should contact their IT support teams and any 3rd-party services they’ve contracted to manage domain services to understand exactly what the process will involve to successfully enable DNSSEC.
Also see:
Has your organization deployed DNSSEC? What pros or cons have you run into before, during, or after deployment? Share your comments with us below in the comments section.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Why your company should consider implementing DNS security extensions
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
The end of a year provides an ideal opportunity for revisiting the previous year’s goals and performance, reviewing personal and professional aspirations and prioritizing the upcoming year’s initiatives. But where to start? Tech pros can implement these seven planning steps from TechRepublic Premium to successfully set and track goals and subsequently prioritize initiatives. From the …
The role of a technical copywriter is recognized as a cornerstone in defining and conveying a company’s identity in the ever-evolving landscape of today’s business, where the online presence and narrative of a brand have outstanding value. This hiring kit from TechRepublic Premium provides an adjustable framework your business can use to find the right …
With artificial intelligence being more popular than free alcohol at a tech conference, it’s wise to stay informed about all things AI or even implement policies for its correct usage. This TechRepublic Premium pack provides readers with seven downloads for a bargain price. The bundle comprises two glossaries about AI and machine learning; three features …
A successful chief digital officer drives their organization’s digital transformation and creates value while rationalizing business processes and the customer experience. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best CDO for your organization. From the hiring kit: EDUCATION AND EXPERIENCE Candidates must have a degree in …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

About The Author

admin

See author's posts