The Domain Name System (DNS) is a distributed database, arranged hierarchically, containing records for domain names. This system is for matching a domain name to an IP Address. When you are typing a domain name in a browser, the DNS will translate the domain name to an IP Address.
Vulnerabilities were discovered in the DNS. It allows a hacker to hijack the process of looking a site up on the Internet using the domain name. The purpose of this attack is for taking control the the user’s session. Therefore, the users should use DNSSEC (Domain Name System Security Extensions) for security.
Domain Name System Security Extensions (DNSSEC) is a technology for protecting users against malicious activities such as cache poisoning, pharming, and man-in-the-middle attacks. It adds digital signatures to a domain name’s DNS to determine the authenticity of the source domain name. DNSSEC is a set of extensions to DNS that provides to DNS clients (resolvers):
- Origin authentication of DNS data,
- Authenticated denial of existence,
- Data integrity.
DNSSEC uses a digital signature to create a chain of authority. Then, it uses the chain to verify the source domain name, to return DNS resolver, to matche the DNS record stored at the authoritative DNS. If it cannot validate the source, it discards the response. This ensures that the user is connecting to the actual address for a domain name.
DNSSEC is currently supported for the following TLDs (domain name extensions):