ITS making improvements with DNS Security Extensions

ITS has begun testing DNS Security Extensions (DNSSEC) for use at U-M. If this testing does not present any significant issues, ITS will begin validating signatures at the end of January.

Due to the higher level of risk in signing our DNS records, ITS does not plan to start signing our DNS records until later in the year. To reduce the risk, ITS has begun work to create automation and monitoring prior to making this change. 

What is DNS?

The Domain Name System (DNS) is responsible for converting domain names like www.example.com into IP addresses like 192.0.2.123. The routers and switches that connect computers to networks and networks to each other use IP addresses. Humans may be good at remembering words, but machines work better with numbers.

DNS was originally built for efficiency and speed, when the internet was small and users trusted each other. Over the years, security flaws were discovered within the DNS system and, as with most systems, security improvements have been made over time. One of the vulnerabilities is that an attacker can look up a name and quickly send the wrong answer to the local DNS caching server before the right answer arrives.

The wrong answer is then held in the DNS cache and returned to other users that look up that same name, sending them to a malicious site. This is known as DNS spoofing or cache poisoning. There is no way for a recursive resolving DNS server or authoritative domain servers to know that they are getting bad information.

Security improvements

Over the years, various changes have been made to improve DNS security. A fairly recent set of improvements are the DNS Security Extensions (DNSSEC). The DNSSEC is a set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. The goal of DNSSEC is to defend against techniques that hackers use to direct computers to rogue websites and servers.

This is a similar public / private key cryptographic system to HTTPS, except that DNSSEC only uses the keys to sign records, not to encrypt them. The source signs the DNS records and the receiver validates the signatures before accepting the answer.

In 2008, the US Federal government mandated that all Federally-owned DNS zones must deploy DNSSEC. Therefore, most of the .gov zones are now signed, but only about 2% of the domains are signed in the .com, .net, and .org top-level domains (TLDs).

Currently many DNS resolvers are set to validate DNSSEC signatures. Most of the popular public DNS services like Google (8.8.8.8), OpenDNS, Cloudflare (1.1.1.1), etc. already do DNSSEC validation.  Some Internet Service Providers like Comcast also do validation.