We are independent & ad-supported. We may earn a commission for purchases made through our links.
Advertiser Disclosure
Our website is an independent, advertising-supported platform. We provide our content free of charge to our readers, and to keep it that way, we rely on revenue generated through advertisements and affiliate partnerships. This means that when you click on certain links on our site and make a purchase, we may earn a commission. Learn more.
How We Make Money
We sustain our operations through affiliate commissions and advertising. If you click on an affiliate link and make a purchase, we may receive a commission from the merchant at no additional cost to you. We also display advertisements on our website, which help generate revenue to support our work and keep our content free for readers. Our editorial team operates independently of our advertising and affiliate partnerships to ensure that our content remains unbiased and focused on providing you with the best information and recommendations based on thorough research and honest evaluations. To remain transparent, we’ve provided a list of our current affiliate partners here.
Technology

Our Promise to you

Founded in 2002, our company has been a trusted resource for readers seeking informative and engaging content. Our dedication to quality remains unwavering—and will never change. We follow a strict editorial policy, ensuring that our content is authored by highly qualified professionals and edited by subject matter experts. This guarantees that everything we publish is objective, accurate, and trustworthy.

Over the years, we've refined our approach to cover a wide range of topics, providing readers with reliable and practical advice to enhance their knowledge and skills. That's why millions of readers turn to us each year. Join us in celebrating the joy of learning, guided by standards you can trust.

What is DNS Security?

By S.A. Keel
Updated: Jan 26, 2024
Views: 5,994
Share

The domain name system (DNS) security extensions (DNSSEC) are a means to protect the Internet and its users from possible attacks that may disable, or hinder access to, the essential naming services on the Internet. The security extensions create a way for the DNS servers to continue to provide their Internet protocol (IP) address translation functions, but with the added provision that the DNS servers authenticate with one another by creating a series of trust relationships. Through the extensions, the data shared among the DNS servers also achieves a level of integrity that is normally difficult over to the existing protocol by which the data is transferred.

Originally, the DNS was created as an unsecured, public distribution of names and their related IP addresses. As the Internet grew, however, a number of problems developed related to DNS security, privacy, and the integrity of the DNS data. With respect to privacy issues, the problem was handled early on by proper configuration of DNS servers. Still, it is possible for a DNS server to be subjected to a number of different types of attacks, such as distributed denial of service (DDoS) and buffer overflow attacks, which can affect any type of server. Specific to the DNS, though, is the issue of some outside source poisoning the data by introducing false information.

DNSSEC was developed by the Internet engineering task force (IETF), and detailed in several request for comment (RFC) documents, 4033 through 4035. These documents describe DNS security as achievable through the use of public key authentication techniques. To alleviate processing on the DNS servers, only the authentication techniques are used, and not encryption.

The way DNSSEC works is through the creation of trust relationships among the different tiers of the DNS hierarchy. At the top level, the root domain of the DNS is established as the primary intermediary between the lower domains, such as .com, .org, and so forth. Sub-domains then look to the root domain, acting as what's called a trusted third party, to validate the credibility of the others so that they may share accurate DNS data with one another.

One issue that pops up as a result of the methods described in the RFCs is called zone enumeration. It becomes possible for an outside source to learn the identity of every named computer on a network. Some controversy developed with DNS security and the zone enumeration problem due to the fact that even though the DNS wasn't originally designed for privacy, various legal and government obligations require that the data remain private. An additional protocol, described in RFC 5155 describes a means to implement additional resource records into the DNS that may alleviate the problem, though not remove it entirely.

Other issues with implementing DNS security revolve around compatibility with older systems. The implemented protocols must be universal and, therefore, understood by all computers, servers and clients alike, that are using the Internet. Since DNSSEC is implemented by way of software extensions to the DNS, however, some difficulty emerged in getting older systems properly updated in order to support the new methods. Still, the deployment of the DNSSEC methods began at the root level in late 2009 and early 2010, and many modern computer operating systems are equipped with the DNS security extensions.

Share
WiseGeek is dedicated to providing accurate and trustworthy information. We carefully select reputable sources and employ a rigorous fact-checking process to maintain the highest standards. To learn more about our commitment to accuracy, read our editorial process.

Editors' Picks

Related Articles

Discussion Comments
Share
https://www.wise-geek.com/what-is-dns-security.htm
Copy this link
WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.

WiseGeek, in your inbox

Our latest articles, guides, and more, delivered daily.