Nutshell

Thoughts come and go, words stay eternal

08 Aug 2022

[network] dns should i use dnssec

Abstract

  1. WARNING DNSSEC can only works as expected when the resolver ensure the zone and the upstream nameserver support DNSSEC
  2. WARNING less 50% top-1m website/domain enable DNSSEC, most zone owned by google/amazon/microsoft … not support DNSSEC
  3. DNSSEC can only make sure the data that the resolver fetching is provided by the zone’s owner (require resolver verify the signature)
  4. DNSSEC can detect (not prevent) dns hijacking only when resolver/client verify the signature
  5. As Owner/Server: Assess
    1. only use it when you pretty sure you need it, and can’t replace with another way, and should base on the report that the use of DNSSEC validation for your customer’s ISPs public resolvers
    2. use E2EE protocol to protect the communication between client and server instead of ensuring client connected the right server’s address (that’s what dnssec to ensuring)
    3. try to use DNS-Over-HTTPS/DNS-Over-QUIC to prevent dns hijacking if you can control how client resolve domain, for example desktop/mobile app
  6. As Resolver: Recommend But Not Forcing
    1. Recursive Resolver: Recommend, try to add additional security check, like credit score of ip address to detect dns hijacking
    2. Forward Resolver: Not Recommend, try to communicate with upstream nameserver with E2EE protocol, use DNSSEC only for the zone that pretty sure has full DNSSEC support and sensitive zone (like bank, shop)

Introduction

DNSSEC strengthens authentication in DNS using digital signatures based on public key cryptography. With DNSSEC, it’s not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

What DNSSEC Provide:

  1. Data origin authentication
  2. Data integrity protection

How Resolver Get And Verify Zone’s Public Key:

  1. use dns query with record type DNSKEY
  2. a zone’s DNSKEY record which contain Public Key is cryptographically signed by parent zone’s private key until root, like a chain of trust
  3. the root KSK (Key Signing Key) will be fetch from IANA

How Resolver Ensure A Zone Support DNSSEC:

  1. no official way, depend on resolver/client keep a dnssec supported zone whitelist (inflexible)
  2. Think use additional record type (for example DNSSEC) to identify a zone support DNSSEC, like record type HTTPS

Disadvantages of DNSSEC:

  1. complexity breeds fragility
  2. there no official way to know a zone support DNSSEC, attacker can break this security by disable DNSSEC with dns hijacking
  3. no many zones/resolvers support DNSSEC (less 50%)

Reference

  1. DNSSEC – What Is It and Why Is It Important?
  2. DNSSEC Report 2020-10 for Top 100 Banking Institutions
  3. TLD DNSSEC Report
  4. online dnssec-analyzer tool
  5. Overview of DNSSEC
  6. DNSSEC trust anchor
  7. get-trust-anchor
  8. alexa top-1m domain, never update any more
  9. Umbrella top-1m domain
  10. Umbrella Popularity List
  11. Disadvantages of DNSSEC
  12. Use of DNSSEC Validation for World (XA)
  13. how-dnssec-works