How DNSSEC protects your domain from DNS vulnerabilities
The Internet's Domain Name System is facing large-scale attacks. ICANN, the organisation in charge of the DNS infrastructure, is now urging all domain name owners to migrate to DNSSEC to avoid "ongoing and significant" risks. Fortunately, we not only support DNSSEC but also offer other security solutions that compliment it.
Domain name owners urged to migrate to DNSSEC
ICANN has just issued warning of “ongoing and significant risk to key parts of the DNS infrastructure.” A report of DNS attacks which appears on ICANN’s site indicates that malicious activity targeting DNS is far reaching, compromising government, telecommunications, and Internet infrastructure entities across the United States, Netherlands, and Middle East.
ICANN’s communication makes clear that threats to the DNS infrastructure are persistent. However, these threats are not new. We’ve previously reported on risks to DNS security but, in a nutshell, here's how they typically work:
- Users are exposed to criminal interference when a domain is not secured.
- DNS vulnerabilities allow cybercriminals to hijack the IP address lookup process.
- Hackers take control of a lookup and redirect users to a deceptive website.
- From here, hackers access users’ personal data: passwords, email, VPN credentials, bank account numbers, etc.
- And therein lies the problem with DNS, a system that was designed without much thought to security.
To avoid criminal interference stemming from DNS vulnerabilities, ICANN is warning domain name owners to switch to DNSSEC immediately.
DNSSEC, or Domain Name System Security Extensions, provides vastly improved DNS security. As ICANN states in its warning, “Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorised modification to DNS information can be detected, and users are blocked from being misdirected.”
How DNSSEC works
DNSSEC validates the different directory services involved in a search: the root (the top level of the Internet directory), the TLD (.COM, .NET, etc.), and the domain name (Example.COM, Example.NET, etc.). This process of validation produces an authentication chain.
Each of these directory services is managed by a different entity. For example, the root is managed by ICANN but .COM is managed by the registry Versign. The DNSSEC validation process ensures that your look up is being directed to the right entity (as opposed to an imposter), thus producing the result you’re actually looking for. This validation process is called DNSSEC Signed.
Once a domain name has been DNSSEC Signed, it cannot be hijacked by a cybercriminal. A connection can no longer be intercepted and redirected to a fake site. Consequently, a user is no longer at risk of providing a hacker their personal details.
DNS security a top priority at EuroDNS
EuroDNS does, of course, support DNSSEC. But we also provide additional security tools and services, and follow strict industry standards to ensure every domain name registered with us remains secure. The following is a list of routine precautions we take with all of our domains:
- Ensure all system security patches have been reviewed and applied.
- Review log files for unauthorised access to systems, especially administrator access.
- Review internal controls over administrator (“root”) access.
- Verify integrity of every DNS record, and the change history of those records.
Our DNS platform is highly reliable, offering the following advantages:
- Distributed DNS servers that use Anycast*, one of the most reliable DNS options available.
- Large cloud-based infrastructure that protects against DDoS attack.
- DNSSEC protection against DNS spoofing, which you can enable directly from your domain management page
- Proprietary non-open source platform that is less vulnerable to online threats
*You’ll find more information on our blog about the distinct advantages of Anycast DNS.
Other domain security precautions to consider
We see it as our responsibility to protect your domain name from being abused. But there are still some precautions you should take on your own to ensure maximum protection. The following is a list of basic security measure we encourage all of our customers to take:
- Follow password management best practices with regards to complexity, length, the need to periodically change them, who you share them with, and never storing or transmitting them in clear text.
- Ensure that DNS zone records are DNSSEC signed and your DNS resolvers are performing DNSSEC validation.
- Ensure protection of end users/domain communication with an SSL certificate.
- Enable two-step verification on your EuroDNS account, especially for administrator access
- Ensure your email domain has a DMARC policy with SPF and/or DKIM, and that you enforce policies provided by other domains on your email system.
Questions about DNSSEC or domain name security?
Remember: our Customer Support team is standing by to answer your questions about DNSSEC and our DNS services, or address any concerns you may have about your domain name's security. We offer support in four languages via phone, email, or live chat.
Stay safe. ICANN has made it clear that DNS attacks are real and persistent. Take action today so your domain name isn't vulnerable to criminal interference.