With no inherent security, Domain Name System (DNS) servers at a host of organisations have been repeatedly compromised to enable a host of malicious endeavours, including cache poisoning, redirecting phone calls, man-in-the-middle attacks to steal passwords, re-routing email, denial of service attacks and more.
Domain Name Systems Security Extensions (DNSSEC) secures the DNS server hierarchy by digitally signing DNS records in order to ensure that the messages received are the same as those that were sent.
DNS Server Security Requires Strong Key Security
DNSSEC essentially implements public key infrastructures (PKI) to provide a method of secure communication between DNS servers. As a PKI, DNSSEC requires some new procedures such as key generation, signing and key management. But, for all the potential benefits of DNSSEC, the intended gains aren’t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted file.
It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organisations can begin to fully enjoy DNSSEC’s benefits. To do so, they need capabilities to do the following:
- Secure digital signatures. DNS messages need to be digitally signed in order to ensure the validity of DNS services.
- Control access. Organisations need to ensure only authorised customers and internal staff can access sensitive applications and data.
- Maintain application integrity. All associated application code and processes need to be secured to ensure integrity and prohibit unauthorised application execution.
- Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times.