DNSSEC: Today's Challenge
The domain name system (DNS) is effectively the Internet’s address book; it enables website names to be matched to their corresponding registered IP addresses. But illicit alteration of web queries can point end users or services to rogue IP addresses and route them to illegitimate servers for the purpose of data theft. The result is even more insidious than a traditional phishing attack because users are automatically routed to bogus sites rather than being tricked by malicious emails and other messages. Because these threats can harm both customers and businesses, DNS security has gained increased attention. The Domain Name System Security Extensions (DNSSEC) have been created in response to this threat. DNSSEC is a mechanism that involves the use of digital signatures to enable servers to authenticate and verify the integrity of DNS responses to queries.
Like other credentialing and signing processes, DNSSEC operates as a ‘chain of trust’ that is anchored at a point of mutual trust so that all parties can rely on the information being secured and shared. In the case of DNSSEC, the trust anchor resides at the top-level domain within each geography or community (e.g., .com, .gov, .co.uk) and is rigorously secured. Internet service providers and enterprises that provide internal DNS services act as links within the chain of trust and must each assess the appropriate level of security as they deploy their own DNSSEC capabilities. Ultimately no organization wishes to be the highest point in the chain at which an attacker can successfully penetrate the system.
Risks Associated with DNSSEC
- Attackers who gain access to your DNS process can lure customers to a site that pretends to be yours, tricking them into providing private information.
- While it is possible to implement DNSSEC in software, attackers can gain access to signing keys and compromise the DNS query process.
DNSSEC: Thales e-Security Solutions
Products and services from Thales e-Security can help you deploy a high-assurance DNSSEC process that protects your business and your customers’ information while at the same time delivering the performance your business requires. nShield Hardware Security Modules (HSMs) enable top level domains (TLDs), registrars, registries, and enterprises to secure critically important signing processes used to validate the integrity of DNSSEC responses across the Internet, and protect the DNS from what are commonly referred to as “cache poisoning” and “man-in-the-middle” attacks. HSMs provide proven and auditable security advantages, enabling proper generation and storage for signing keys to assure the integrity of the DNSSEC validation process.
- Ensure integrity of the DNSSEC validation process with independently certified HSMs (FIPS 140-2 Level 3 and Common Criteria EAL4+).
- Maintain a robust tamper-resistant hardware boundary and a proven, auditable mechanism to protect valuable signing keys, even when archived.
- Enforce separation of duties through robust access controls to mitigate the threat of single “super users” and facilitate regulatory compliance.
- Achieve high availability and improved DNS server performance with unlimited key storage, secure backup and recovery, and powerful cryptographic acceleration.
Download the DNSSEC Solution Brief