DNS was designed over 30 years ago, back when security was not a primary focus of the internet. Without additional protection, it is possible for MITM attackers to falsify records and lead users to phishing sites. DNSSEC puts a stop to it, and it̵7;s easy to turn on.
DNS by itself is not secure
The DNS system does not contain any built-in methods to verify that the response to the request was not forged, or that any other part of the process was not interrupted by an attacker. This is a problem, because every user wants to connect to your site, they need to do a DNS lookup to translate your domain name into a useful IP address. If the user connects from an insecure place, such as a coffee shop, it is possible for malicious attackers to sit in the middle and falsify DNS records. This attack can allow them to redirect users to a malicious page by changing the IP address of the A-mail.
Fortunately, there is a solution – DNSSEC, also known as DNS Security Extensions, solves these problems. It secures DNS lookups by signing your DNS records with public keys. If DNSSEC is enabled, if the user gets back a malicious response, their browser can detect it. The attackers do not have the private key used to sign the legitimate documents and can no longer send a forgery.
DNSSEC’s signing of keys runs the entire chain. When you connect to
example.com, your browser first connects to the DNS root zone, managed by IANA, then to the extension directory (
.comfor example) and then to the name servers for your domain. When you connect to the DNS root zone, your browser will check the root signing key managed by IANA to verify that it is correct, then
.com directory signing key (signed by the root zone), then the signing key for your site, which is signed by
.com catalog and cannot be forged.
It is worth noting that in the near future this will not be as much of a problem. DNS is moved to HTTPS, which will secure it against all types of MITM attacks, make DNSSEC unnecessary and also prevent ISPs from spying on your browsing history – which explains why Comcast is working against it. As it says but it is an optional feature in Chrome and Firefox (with operating system support coming soon in Windows), so you still want to enable DNSSEC in the meantime.
How to enable DNSSEC
If you run a website, especially one that handles user data, you want to enable DNSSEC to prevent DNS attack vectors. There is no downside to it, unless your DNS provider only offers it as a “premium” feature, as GoDaddy does. In that case, we recommend that you move to a real DNS provider, such as Google DNS, which does not nickel-and-dime you for basic security. You can read our guide to using it, or read more about transferring your domain.
If you use Google domains, the installation is literally just a button located in the domain console under “DNS” in the sidebar. Select “Enable DNSSEC.” It takes a few hours to complete and sign all the necessary keys. Google Domains also fully supports DNS via HTTPS, so users who have it enabled will be completely secure.
For Namecheap, this option is just a switch under “Advanced DNS” in the domain settings and is completely free:
Unfortunately, using AWS Route 53 does not support DNSSEC. This is a necessary disadvantage of the elastic DNS functions that do well in the first place: functions such as Alias records, DNS load balancing, health checks and latency-based routing. Because Route 53 cannot reasonably sign these records each time they are changed, DNSSEC is not possible. However, if you use your own name servers or another DNS provider, it is still possible to enable DNSSEC for domains registered uses Route 53 – just not domains that use Route 53 as their DNS service.