What is DNSSEC?

DNSSEC is a security extension that uses a combination of public and private keys to sign data and verify the authoritative server.

DNSSEC is a cryptographic solution for domain authentication. 

With it, even if a recursive server was poisoned by hackers, it won’t send the visitors to a shady website where their personal data and bank information can be stolen. The DNSSEC must be applied at each step, from the root zone to the domain. The root zone will have a key for the .com and the .com will have for the EXAMPLE.com. DNSSEC is a chain of trust that needs to be verified on each point.

How DNS Works and the Role of DNSSEC

We have already talked about how DNS works. Briefly explained, it is a system that facilitates our lives by translating domain names to their IP addresses. This way, visitors don’t need to remember IP addresses and just write the name of the domain. In the DNS, users’ requests go through different recursive servers until it reaches the root zone where the IP addresses are stored.

However, when DNS was created, security wasn’t a major concern. This left DNS vulnerable to attacks such as DNS spoofing (or cache poisoning), where a hacker manipulates DNS records to redirect users to malicious sites. DNSSEC was developed to secure the DNS without completely rebuilding its core architecture.

The Importance of DNS Security

The DNS Security should not be neglected. Especially when we think about how many people connect their devices and use them on unsecured public Wi-Fi networks. Their DNS traffic could go to a poisoned DNS resolver that has modified DNS records. A modified DNS record could lead to a similar or exactly the same looking site that is there to get the person’s personal data, including bank data. The victim won’t even notice there was a problem until it is too late and all thanks to the weak DNS security that a non-DNSSEC solution offers by default. 

When you apply DNSSEC for your domain, all those users who are using public Wi-Fi networks or private ones will be safe from such scams. Their web browser will recognize the DNS record that is not signed correctly with DNSSEC, and it will drop it. 

The DNSSEC is proof of original and non-manipulated DNS records that secures DNS and fixes its flaws. It is cryptographically protected and secure.

How does DNSSEC work?

DNSSEC works by adding digital signatures to DNS records using public-key cryptography. Here’s a simplified breakdown of how it works:

1. Public and Private Keys: DNSSEC uses a pair of cryptographic keys – one public and one private. The private key is used to generate digital signatures for DNS data, and the public key is used by DNS resolvers to verify that the signatures are valid.
2. Signing DNS Records: When DNSSEC is enabled for a domain, its DNS records are digitally signed using the domain’s private key. This means that if anyone tries to tamper with the records, the signature will no longer match, and the change can be detected.
3. Chain of Trust: DNSSEC uses a hierarchical trust model. On top of this trust is the DNS root zone, which is managed by trusted organizations. Each level of the DNS hierarchy (from the root to TLDs like .com, down to individual domains) is responsible for signing the records at the next level down. For example, if you own a domain like “example.com”, your domain’s signatures are verified by the “.com” zone, which in turn is verified by the root zone.
4. Resolvers and Validation: When a DNS resolver queries a DNSSEC-enabled domain, it not only receives the usual DNS data (such as the IP address) but also the associated digital signatures. The resolver then uses the public key associated with the domain to verify the signature. If the signature is valid, the resolver can be confident that the DNS data hasn’t been modified.

Key Components of DNSSEC

There are a few critical terms and components to understand when discussing DNSSEC:

1. DNS Record Types: DNSSEC adds several new DNS records to achieve signature validation.
   • RRSIG: The digital signature associated with a particular set of DNS records.
   • DNSKEY: This record contains the public key used to verify RRSIGs.
   • DS Record: A delegation signer record that authenticates the connection between a domain’s DNS zone and its parent zone. It contains a hash of the DNSKEY record, which allows resolvers to verify the authenticity of DNS responses and ensure the integrity of the domain’s DNS data.
   • NSEC/NSEC3: It is a pointer to the next secure record name in the zone.
2. Resource Record sets (RRsets): They gather the same type of DNS records, such as A, AAAA, and MX. The RRsets help to reduce the complication of verifying single records.
3. Zone-Signing Keys (ZSK): These keys are used by the DNS zone operator to sign individual DNS records (RRsets) within the zone. The private ZSK signs the RRsets and saves them in the form of RRSIG records. The public ZSK is published in the form of DNSKEY to validate these signatures.
4. Key-Signing Keys (KSK): The KSK is used to sign the DNSKEY record, which includes the public ZSK. The private KSK signs both the KSK and the ZSK, ensuring trust in the zone’s cryptographic keys.

What does DNSSEC mean for the end users?

Enabling DNSSEC will guarantee that the users will access the right website, not a fake copy. It doesn’t remove the need of a SSL certificate for data encryption and further protection of users’ data, but it secures the otherwise unsecured DNS.

Who Needs DNSSEC?

The simple answer is anyone with a domain name! However, some types of websites benefit the most from this solution:

• eCommerce Sites: Protecting customers’ financial information and preventing phishing attacks is critical. DNSSEC ensures that users connect to the correct server and are not misled by a fake site.
• Financial Institutions: Online banking services are frequent targets of DNS attacks, especially due to the sensitive nature of their transactions. Implementing DNSSEC is crucial to protecting both customers and the institution from fraudulent activities.
• Healthcare Organizations: With the rise of online health services and medical records, healthcare websites need to ensure the privacy and accuracy of patient data. DNSSEC adds a layer of protection essential for safeguarding personal health information.
• Enterprises: Large corporations often have multiple domains, subdomains, and services hosted online. DNSSEC prevents DNS hijacking that could damage the company’s reputation and customer trust.

Even if you run a small blog or a simple business website, this service ensures your domain won’t be exploited for malicious purposes. It’s a valuable tool for maintaining the security and integrity of any online property.

ClouDNS and DNSSEC

ClouDNS offers DNSSEC both for Primary and Secondary DNS for each of our paid DNS plans. The DNSSEC is compatible with non-DNSSEC resolvers too. This means that if you enable it, The DNS will continue to function without problems even if the resolver(s) doesn’t support DNSSEC. Having a secure DNS is easy.

Benefits

Some of the key benefits include the following:

• Improved Security: It ensures the authenticity and integrity of DNS responses by digitally signing DNS data, protecting against attacks like DNS spoofing and cache poisoning.
• Data Integrity: It guarantees that the DNS data has not been tampered with during transmission, ensuring reliable communication.
• Trust Establishment: DNSSEC creates a chain of trust from the root DNS servers down to individual domains, enhancing overall trust in internet services.
• Prevents Redirection: It helps prevent users from being unknowingly redirected to malicious websites by ensuring the validity of DNS responses.

Cons of DNSSEC

As you could guess, there are some negatives with it too. Apply it correctly will create more records. Furthermore, it will increase the size of the DNS responses.
Still we recommend the use of DNSSEC. It is not hard to apply, it will provide an extra security and save you many problems with your clients.

Conclusion

DNSSEC plays a vital role in keeping the internet secure. As cyber threats like DNS spoofing, man-in-the-middle attacks, and cache poisoning are becoming common, protecting your DNS is essential. By using this service, you protect the integrity of your domain and ensure that your users can always reach your legitimate website. No matter the size of your online presence, whether it’s a personal blog or a large company, DNSSEC offers an important layer of protection that helps keep your domain secure and trustworthy.

The post DNSSEC, the DNS Security extension appeared first on ClouDNS Blog.

DNS spoofing a.k.a. DNS poisoning is so popular that you can find plenty of DNS spoofing tutorials using Kali distribution of Linux, but we are on the good side, and we won’t show you that. We will explain to you why there is such a threat and how you can protect yourself.

DNS Spoofing – Definition

In 2008, security researcher Dan Kaminsky unveiled a severe flaw in the DNS protocol that left many Internet domains susceptible to poisoning attacks. This disclosure shook the internet community, prompting immediate action and leading to widespread deployment of security patches. Recognizing past vulnerabilities allows us to be vigilant and learn from historical mistakes.

DNS Spoofing appears when the IP address (IPv4 or IPv6) of a domain name is masked and falsified. The information is replaced with a faked one, from a host that has no authority to give it. It occurs and disturbs the normal process of DNS resolution. As a result, the user’s device is connecting with a bogus IP address, and all of the traffic is directed to a malicious website. Additionally, the victim is not able to notice the forgery because the DNS resolution is a process that happens behind the scenes. 

The fake DNS data (DNS records) takes place in the Recursive DNS server cache, which results in the name server answering with a false IP address. Such attacks take advantage of vulnerabilities in name servers and shift the traffic towards fake web pages. Those fake websites are visually very similar to the real ones, and people don’t even understand the difference. In this process, personal data can be stolen.

As we mention above, the Recursive DNS server has an essential role in the DNS resolution process. Let’s explain a little bit more about it. Here are two functions that you should be familiar with:

DNS caching

To save time and better divide the load, in the DNS there are recursive DNS servers. They have a cache, local saved information about the domains that temporarily stays in them.

Forwarding

Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the queries that are not satisfied from its cache to another caching name server, commonly referred to as a forwarder.

Methods of DNS Spoofing

There are various different methods of DNS Spoofing. Here are some of the most popular ones:

Spoofing the DNS responses

This method is a form of a Man-in-the-Middle (MITM) attack. In this one, the attacker is guessing the manner in which the DNS generates its query ID and sends a fake response with the IP address he/she wants.

In the majority of cases, the cybercriminal pretends to be the victim’s DNS server and sends malicious responses. The chance for initiating such a type of attack is based on the fact that DNS traffic operates with the User Datagram Protocol (UDP). That way, it is not possible for the victim to confirm the authenticity of the DNS response. 

DNS cache poisoning

DNS cache poisoning or also known just “cache poisoning,” is another cyber attack that cybercriminals commonly initiate. It involves placing a bogus IP address in the cache memory of the devices of the users. That way, the target victim device is going to lead the user to that bogus IP address automatically. It includes sending to the DNS servers wrong mapping information with high TTL. The information is saved for a long time so the server can give the fake answer for a long time.

Learn everything about the DNS Cache!

Moreover, each further DNS request to the DNS servers with this cached, malicious information is going to direct to the bogus IP address. Such a threat is going to remain until the entry is pulled from the DNS cache. However, there is a security mechanism called DNSSEC which can be implemented to improve the protection of your DNS.

DNS Hijacking

DNS Hijacking is one of the most complex DNS attacks out there. The cybercriminal hijacks a legitimate DNS server and takes control of it. Then, he or she makes some modifications to the DNS information (DNS records). That way, the fake DNS data pushes every user who reaches that website’s IP address to get sent to the falsified website. That is why encryption is especially important for the overall protection of your information.

Example of DNS Spoofing

Most commonly, attackers utilize premade tools to complete a DNS Spoofing attack. Typically, it is performed in any location with connected devices, yet the main targets are locations with free public Wi-Fi. They are usually poorly secured and misconfigured. That gives the cybercriminal a great opportunity to complete the malicious attempt. Therefore, it is best if you consider using only secure Wi-Fi networks.

Here is an example of DNS Spoofing and the basic steps that the cybercriminal completes:

1. The attacker uses arpspoof to trick the target device of the user and point it to the attacker’s machine. So, when the user writes the domain name into the browser, it is going to be misguided. As a result, the cache of the user device is poisoned with forged data.
2. The attacker creates a DNS server on a device under his or her control. That way, the attack proceeds by rewriting the DNS records for the target domains.
3. The cybercriminal established a website that imitates a legitimate one on a local malicious device. Despite the fact it looks and feels legit, such a website is created for phishing purposes.
4. When the victim tries to establish a connection and open such a website, it receives the IP address provided by the attacker’s DNS server. As a result, the victim opens the phishing website instead of the legitimate one.
5. Lastly, the threat actors steal information from their victims on the network by tricking them. Commonly, that is performed by them entering their sensitive information into the fake website pages.

Suggested article: Linux Host command, troubleshot your DNS

The Impact of DNS Spoofing: Consequences and Risks

• Misdirection to malicious websites: Users are directed to fraudulent sites designed to steal sensitive information, often indistinguishable from genuine ones.
• Data theft and privacy breaches: Attackers can capture personal details and login credentials, leading to identity theft and potential financial repercussions.
• Spread of malware: Victims are at risk of malware infections when they’re redirected to malicious sites, compromising their devices.
• Phishing attacks: By mimicking genuine domains, attackers craft convincing phishing attempts, duping victims into sharing confidential data.
• Loss of trust and reputation damage: For businesses, a DNS spoofing incident can result in significant reputational harm and a decline in customer trust.
• Financial consequences: Both individuals and businesses might face direct financial losses, coupled with the costs of damage control and cybersecurity enhancements post-incident.

Common Vulnerabilities that Lead to DNS Spoofing Attacks

DNS spoofing attacks often exploit various vulnerabilities within the DNS infrastructure. One primary weakness is unsecured DNS servers, which become easy targets for attackers when left with default settings. The absence of DNSSEC (Domain Name System Security Extensions) is another critical vulnerability. Without it, DNS responses cannot be verified for authenticity, leaving them open to manipulation.

Weak or misconfigured DNS cache settings also pose significant risks, as they can be poisoned with malicious records, redirecting users to fraudulent websites. Insecure network configurations, especially on public Wi-Fi, further expose systems to man-in-the-middle attacks. Outdated software on DNS servers and related devices makes it easier for attackers to exploit known vulnerabilities.

The lack of monitoring allows spoofing attacks to go unnoticed, causing prolonged damage. Poorly configured firewalls, access controls, and insecure DNS forwarding also contribute to the risk. Finally, human errors and social engineering tactics often play a role in successful DNS spoofing attacks.

Addressing these vulnerabilities through regular updates, security audits, and robust configurations is essential to prevent DNS spoofing and secure DNS operations.

How to protect from DNS spoofing?

There are few different things that you can do to protect from those attacks:

• DNS over HTTPS (DoH) and DNS over TLS (DoT): These protocols encrypt your DNS requests, ensuring that attackers can’t view or modify them.
  Understanding DoT and DoH
• Use DNSSEC – Domain Name System Security Extensions checks the data authenticity with digitally signed DNS records.
• Internal DNS Servers: Establishing a secure internal DNS server setup can add an extra layer of protection. Ensure regular security audits to keep it foolproof.
• Implement DNS filtering. It will block malicious IPs or domains from connecting to your system.
• Use IPSec – IPSec uses encryption to secure communication over IP networks, enhancing data flow between hosts and networks.
• Detection mechanisms. You can use monitoring software to detect it. Using such a program, you can be sure that it will alert you if it detects some suspicious traffic which can be DNS spoofing.
• Always use a secure connection. Use encryption via SSL or TLS to verify the certificate of the website you want to visit.
  What is an SSL certificate?
• Employee Training: Periodic training sessions can help employees recognize and report potential cyber threats, reducing the chance of a successful attack.

Conclusion

We should be cautious where we go on the internet and what emails we are opening. Even the slightest difference, like the missing of the SSL certificate, should immediately trigger us to double check the website we want to visit.

The post DNS Spoofing (DNS poisoning) appeared first on ClouDNS Blog.

DMARC explained

DMARC is an authentication, policy and also reporting protocol. It uses both SPF and DKIM and adds linkage to the “From” domain name, policies for handling the incoming email in case of failure and something very important – report for the sender. That way the sender can see if there is a problem, and act on it.

The main purpose of DMARC is to protect against direct domain spoofing. If an attacker tries to send email from not authorized, DMARC will detect it and block it.

Combined with BIMI, you will also give proper protection to your brand reputation by providing authentic messages.

Why SPF and DKIM are not enough?

SPF – Sender Policy Framework has the goal to validate the senders’ servers. The receivers check the SPF record and see the IP address. It should be matching the IP address of the domain of the sender.

A problem with the SPF is that the SPF record applies to the return path of the domains, not to the domain, that shows in the “From” on the user interface. DMARC fixes this flaw with alignment, a match, between the visible “From” and the server authenticated by SPF.

DKIM – DomainKeys Identified Mail. The owner can use DKIM record to sign the emails that it sends. The emails will have extra data (encrypted) in the header that can be verified through the DNS. This technology is not flawless too. Many companies don’t rotate the key, and that can be a big problem. This is another thing, DMARC fixes. It provides rotating keys.

How does DMARC work?

We mention already that DMARC uses policies. The administrator sets them, defining the email authentication practices and what should the receiving email server do if an email violates a policy.

When the receiving email server gets a new email, it makes a DNS lookup to check the DMARC record. It will look for:

• If the DKIM signature is valid.
• The IP address of the sender, if is one of the allowed by him (SPF record).
• If the header shows proper “domain alignment”.

With all of the above in consideration, the server DMARC policy to accept, reject or flag the email.

In the end, the server will send a message to the sender with a report.

Benefits of DMARC

Here are some of the main advantages of implementing this advanced protocol.

For the sender:

• Shows that the email uses authentication – SPF and DKIM.
• Receives a feedback about the sent email.
• Policy for failed email.

For the receiver:

• Provide authentication for the incoming emails
• Evaluating the SPF and DKIM
• See what the sender prefer – policy
• Returns feedback to the sender

DMARC Record example

DMARC records are a simple text (TXT) DNS records. They look like this:

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com”

• V – the version of the protocol. In the example is version 1
• Pct – % of the messages that are subject to filtering (pct=20)
• Ruf – URI for forensic reports (ruf=mailto:authfail@example.com)
• Rua – URI for aggregate reporting (rua=mailto:aggrep@example.com)
• P – Policy, organizational domain (p=quarantine)
• Sp – Policy, subdomains of the organizational domain (sp=reject)
• Adkim – Alignment for DKIM (adkim=s)
• Aspf – Alignment for SPF (aspf=r)

DMARC record generator by ClouDNS

Why use DMARC?

DMARC is a protocol used to help prevent email fraud and phishing attacks. Here’s why it’s important and why you should use it:

• Prevention of Email Spoofing: It helps prevent attackers from spoofing your domain, a common tactic in phishing attacks. By authenticating emails sent from your domain, DMARC ensures that only authorized senders can use your domain name.
• Improved Email Deliverability: Implementing it can help improve your email deliverability by reducing the chances of your legitimate emails being flagged as spam or being rejected by email servers. When email receivers see that your domain is protected by DMARC, they are more likely to deliver your emails to the inbox.
• Protection of Brand Reputation: Phishing attacks that use your domain can harm your organization’s reputation and trustworthiness. DMARC helps protect your brand reputation by preventing unauthorized use of your domain in phishing emails, thereby maintaining trust with your customers and partners.
• Visibility and Control: DMARC provides visibility into email traffic sent from your domain through reporting mechanisms. You can monitor email authentication results and receive reports on email activity, including information about legitimate and fraudulent email senders. This allows you to take proactive measures to protect your domain and email infrastructure.

What is an MX record?

Conclusion

DMARC can significantly lower the number of fraud emails and spam. It is not 100% bulletproof, but it adds a lot of extra protection in comparison with the other two solutions – SPF and DKIM. The reporting functionality is welcome plus too.

The post DMARC, the solution for your phishing problems appeared first on ClouDNS Blog.