What DNS servers are and what their role is is is now clear: they deal with resolving domain names allowing the browser to obtain the public IP address corresponding to the mnemonic address typed by the user in the URL bar (example: www.google.it).
In Google DNS articles, here’s how they work and why they are useful and DNS Server 126.96.36.199: Cloudflare launches the new service that focuses on privacy we’ve seen what DNS are and when it’s useful to replace the DNS resolver with another.
For years we have been talking about DNSSEC as a valid solution to put a stop to phishing attacks and certify in an indisputable way that the website you are visiting is just what you claim to be. Of course, digital certificates together with the use of HTTPS are an excellent solution to attest the identity of a website but in the past we have witnessed the issue of fake certificates (especially DV; see Switching from HTTP to HTTPS: the importance of SSL certificate).
DNSSEC (Domain Name System Security Extensions) is a set of specifications approved by IETF, an international, free body, composed of technicians, specialists and researchers interested in the technical and technological evolution of the Internet, which until now have not been universally embraced.
DNSSEC was created primarily to stem so-called cache poisoning attacks that aim to alter the cache content of DNS servers in order to provide altered responses to queries from client systems. We talked about it more than 8 years ago in the article On the main DNS servers begins the transition to DNSSEC and even before the discoveries of the researcher Dan Kaminsky.
Using DNSSEC, you can deal with cache poisoning and man-in-the-middle (MITM) attacks by verifying the integrity of requests and responses during the resolution of domain names.
Not all Top Level Domains (TLDs) support DNSSEC. The following, for example, are down compatible: .com, .be, .net, .eu, .fr, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk, .paris, .club, .xyz, .wiki, .ink. Recently, the .it Registry has also activated the possibility of inserting and managing DS records.
Under Linux, to check if a TLD supports the use of DNSSEC specifications and, therefore, DS records, just type the following command (instead of it just type the TLD to be checked):
If no response is received, this means that the indicated TLD does not support the use of DS records and therefore does not include DNSSEC specifications.
The command can also be run from Windows 10 from the Linux: Linux bash in Windows: how, when and why to use it.
How DNSSEC works
DNSSEC relies on the use of asymmetric encryption and therefore uses a scheme that uses two keys: a private key and a public key.
When a user accesses a website, a request for domain name resolution is sent to the DNS server.
If the IP address match is not already known locally, then the system queries the DNS server set by the user (in the network interface settings or at the router/server DHCP modem level). If the requested DNS server does not know the IP corresponding to the domain name indicated, then the so-called recursion mechanism is activated: starting from the root, querying one of the root servers in the top-level domain, you obtain the server that manages it, then proceeding with a query in the second-level domain until you reach the authoritative server for the desired name.
In the case of DNSSEC, if DS records are available, a key is requested that allows the server to verify that the information received is identical to the record on the authoritative server for the domain name indicated.
If the recursive server determines that the address record was sent by the authoritative server and was not changed during the path, the domain name is resolved and the user can access the site (validation procedure).
On the other hand, if the record was changed or did not originate from the indicated source, the recursive server does not allow the browser to reach what is in fact considered a fraudulent address other than the official one.
Going to this page and entering the domain name of some website you can see how few are still using DNSSEC and DS records.
For example, by typing cloudflare.com you can obtain the public keys of the well-known U.S. provider.
For .it domain names, the Registry has recently updated the validation system of the DNS configuration adding the possibility to verify the presence of DS records. Italian and foreign providers are adapting in these weeks to offer their customers the possibility to generate the pair of cryptographic keys and compile the records DS side Register.