It’s a question we often hear: “Isn’t DNSSEC the same as encrypted DNS?”
Not really. While DNSSEC protects networks against man-in-the-middle attacks, it does so through public key cryptography, which is different from encryption. In other words, DNSSEC provides a form of authentication, but not a form of confidentiality.
DNSSEC uses public key cryptography to digitally “sign,” or authenticate, DNS queries. When DNSSEC is enabled on a zone record, the receiving device can compare the information it receives with the original information sent by the authoritative server. This is enabled by a digital signature that uses public keys to authenticate data.
In DNSSEC, the authentication keys are protected through cryptography, but the data itself is not protected. It’s still possible to intercept and read DNSSEC-protected traffic. If the data is manipulated somewhere along the data pathway and sent on to its destination, the receiving server will be able to tell that something is amiss because the public keys will not match.
Encryption, on the other hand, uses cryptography to encode the data itself. Encryption ensures confidentiality by changing what an attacker would see if they intercept a query somewhere along the data pathway. It makes that data unintelligible unless the attacker can decipher the signal using an encryption key. Since that key isn’t publicly shared, encryption protects data from manipulation.
DNS is one of the older protocols on the Internet. When it was created, the Internet was a much smaller place where pretty much everyone knew each other. Security was an afterthought.
By the time Internet security became a concern, DNS was so widely used that any significant change would have brought the entire system to a screeching halt. Rather than try to develop a fully encrypted protocol to replace DNS, it was decided to bolt on an authentication mechanism to the existing system.
DNSSEC was a compromise. It made the authentication of queries and data possible, increasing security of the protocol. But it did so without changing the underlying system, so the Internet could continue growing without the need to re-engineer anything. Deployment of DNSSEC was made optional so organizations could transition if and when they wanted.
DNS cache poisoning (also known as DNS spoofing) is a big reason to deploy DNSSEC. In a DNS spoofing attack, an unauthenticated answer is substituted for the legitimate response to a DNS query. That answer then gets stuck in the cache, continuing to return the wrong answer and directing users to malicious sites until the “time to live” expires.
DNSSEC protects against these kinds of attacks by authenticating DNS responses, ensuring that only correct answers are returned. Encryption may protect the underlying data in a DNS connection, but it wouldn’t protect against a DNS spoofing attack.
Unfortunately, only around 20% of Internet traffic is validated through DNSSEC. While that’s a significant increase from just a few years ago, it’s still a far cry from where it should be. A combination of usability issues, lack of information and sheer laziness accounts for that significant gap.
NS1 strongly encourages all its customers to deploy DNSSEC, and promotes its use through a simple deployment process. Unlike other providers, NS1 even supports DNSSEC as a secondary provider or redundant DNS option through our Dedicated DNS offering.
4 min read – The future of customer experience is bright. Providing a positive customer experience can become a competitive advantage.
2 min read – “It is no exaggeration to say that this initiative has just begun. With IBM, we hope to develop it into a standard in Japan and globally.”
5 min read – Learn how Kubernetes observability works, and how organizations can use it to optimize cloud-native IT architectures.
10 min read – The General Data Protection Regulation (GDPR), the European Union’s landmark data privacy law, took effect in 2018. Yet many organizations still struggle to meet compliance requirements, and EU data protection authorities do not hesitate to hand out penalties. Even the world’s biggest businesses are not free from GDPR woes. Irish regulators hit Meta with a EUR 1.2 billion fine in 2023. Italian authorities are investigating OpenAI for suspected violations, even going so far as to ban ChatGPT briefly. Many businesses…
4 min read – Breach and Attack Simulation (BAS) is an automated and continuous software-based approach to offensive security. Similar to other forms of security validation such as red teaming and penetration testing, BAS complements more traditional security tools by simulating cyberattacks to test security controls and provide actionable insights. Like a red team exercise, breach and attack simulations use the real-world attack tactics, techniques, and procedures (TTPs) employed by hackers to proactively identify and mitigate security vulnerabilities before they can be exploited by…
4 min read – You’re a network administrator going about your normal business. Suddenly, you’re seeing a huge spike in inbound traffic to your website, your application or your web service. You immediately shift resources around to cope with the changing pattern, using automated traffic steering to shed load away from overburdened servers. After the immediate danger has passed, your boss asks: what just happened? Is it really a DDoS attack? It’s tempting to raise a false alarm in these situations. Distributed denial of…

More Stories
Digital Coercion: How Inaccessible Design Strips Financial Privacy
The Need to Reimagine the WSIS Forum
How Local Peering Is Strengthening Africa’s Internet