DNS was designed over 30 years ago, when security was not a primary goal of the Internet. Without additional protections, it is possible for MITM attackers to spoof records and direct users to phishing sites. DNSSEC puts an end to this, and it’s easy to activate.
DNS by itself is not secure
The DNS system does not include any built-in method to verify that the response to the request has not been tampered with or that no other part of the process has been interrupted by an attacker. This is a problem, because every time a user wants to connect to your website, they have to perform a DNS lookup to translate your domain name into a usable IP address. If the user logs in from an insecure location, such as a coffee shop, malicious attackers could sit in the middle and spoof DNS records. This attack could allow them to redirect users to a malicious page by changing the record of IP address A.
Fortunately, there is a solution: DNSSEC, also known as DNS security extensions, fixes these problems. It secures DNS lookups by signing your DNS records using public keys. With DNSSEC enabled, if the user retrieves a malicious response, their browser can detect it. Attackers do not have the private key used to sign legitimate records and can no longer pass a fake one.
Key signing by DNSSEC goes all the way up the chain. When you connect to example.com, your browser connects first to the DNS root zone, managed by the IANA, then to the extension directory (for example .com), then to the nameservers of your domain. When you connect to the DNS root zone, your browser will check the IANA managed root zone signing key to verify that it is correct, then the .com directory signing key (signed by the root zone ), then your site’s signing key, which is signed by the .com directory and cannot be tampered with.
It should be noted that in the near future this will no longer be a problem. DNS is transferred to HTTPS, which will secure it against all kinds of MITM attacks, make DNSSEC useless and also prevent ISPs from spying on your browsing history – which is why Comcast is pushing against this. As it stands, this is an optional feature in Chrome and Firefox (with operating system support coming soon to Windows), so you will still want to enable DNSSEC while waiting.
How to activate DNSSEC
If you are running a website, especially a website that manages user data, you will want to enable DNSSEC to prevent any DNS attack vector. There is no downside, unless your DNS provider only offers it as a “premium” feature, like GoDaddy does. In this case, we recommend switching to a suitable DNS provider, such as Google DNS, which will not do you anything for basic security. You can read our user guide here, or learn more about transfer of your domain.
If you’re using Google Domains, the setup is literally a single button, found in the domain console under “DNS” in the sidebar. Check “Enable DNSSEC”. It will take a few hours to complete and sign all the required keys. Google Domains also fully supports DNS over HTTPS, so users who have it enabled will be fully secure.
For Namecheap, this option is also just a toggle under “Advanced DNS” in the domain settings, and is completely free:
If you are using AWS Route 53, unfortunately it does not support DNSSEC. This is a necessary drawback of the elastic DNS features that make it ideal in the first place: features like alias records, DNS-level load balancing, health checks, and routing. based on latency. Because Route 53 cannot reasonably sign these records every time they change, DNSSEC is not possible. However, if you are using your own name servers or another DNS provider, it is still possible to enable DNSSEC for domains registered using Route 53, but not for domains using Route 53 as their DNS service.