What is DNS?
A computer can understand only understand ones and zeros. Every website has an IP address which is the destination which is to be addressed in order to access the website. It is fairly impossible to remember IP addresses of myriads of websites there are. We simply use the naming notation, for example, google.com, yahoo.com, etc. DNS, or the Domain Name System, is the server which works as an intermediator between the client and the internet to convert those zeros and ones to the human-language addresses, known as the host names. In today’s scenario, it is almost impossible to use internet without the use of DNS.
Why is the DNS so vital?
The DNS plays a critical role in supporting the Internet infrastructure by providing a distributed and foolproof mechanism that resolves Internet host names into IP addresses and IP addresses back into host names.The DNS also supports other Internet directory-like lookup capabilities to retrieve information pertaining to DNS Name Servers, Canonical Names, Mail Exchangers, etc.
Are there any limitations?
Insecure underlying protocols and lack of authentication and integrity checking of the information within the DNS may threaten the proper functionality of the DNS and ultimately the client. Also, many security weaknesses surround IP and the protocols carried by the IP from which the DNS is not immune.The threats that surround the DNS are due in part to the lack of authenticity and integrity checking of the data held within the DNS and in part to other protocols that use host names as an access control mechanism.
What exactly are the threats to a Domain Name System?
DNS is designed to be a public database in which the concept of restricting access to information within the DNS name space is purposely not part of the protocol. False information within the DNS can lead to unexpected and potentially dangerous exposures. Several problems may arise, including Cache poisoning, client flooding, dynamic update vulnerability, information leakage, and compromise of the DNS server’s authoritative database.
How can this be resolved?
In order to add DNS security to address these threats, the IETF (Internet Engineering Task Force) added security extensions to the DNS, collectively known as DNSSEC, which provides authentication and integrity to the DNS through the use of cryptographic signatures generated through the use of public key technology. Security aware servers, resolvers, and applications can then take advantage of this technology to assure that the information obtained from a security aware DNS server is authentic.
How would the DNSSEC do this?
Key Distribution, which allows for the retrieval of the public key of a DNS name to verify the authenticity of the DNS zone data; Data Origin Authentication, which takes care of cache poisoning; and DNS Transaction and Request Authentication, which authenticates DNS requests and DNS message headers, guaranteeing that the answer is in response to the original query and that the response came from the server for which the query was intended.
Done, what next?
Security aware clients also have added responsibilities then their non-secure counterparts. These added responsibilities come in the form of knowing how to process DNSSEC RRs.
All things done, internet is back to safe and seamless surfing!