Please Use DNSSEC
The other day I was reading about yet another DNS vulnerability. Vulnerabilities in DNS have been well known since 2008, and since 2010 we’ve had an excellent solution, DNSSEC. DNSSEC addresses many of the most common DNS vulnerabilities on the internet today (including this most recent vulnerability). For most, setup is very simple. Unfortunately, DNSSEC is an opt-in technology. So, it’s a good time to remind all my Internet friends that today’s a good day to double-check if you have DNSSEC enabled, and if you don’t, to make plans to enable it.
For home users, the simple fix is to switch to a DNSSEC aware DNS provider. Quad9, CloudFlare, and NextDNS are all great choices. In addition to supporting DNSSEC, they all also support DOT/DOH and filter out malware domains for additional privacy/security. Setup is painless for every major OS. A secure provider can also be configured on your home router, to ensure every home device gains the benefits.
For businesses and organizations, you’ll need to look in two places. First, ensure your enterprise DNS resolvers are using an upstream provider that supports DNSSEC (see above) and/or ensure your enterprise DNS resolvers have DNSSEC validation enabled. For virtually every modern enterprise DNS resolver, it’s a simple switch to enable DNSSEC validation. But often, it’s off by default.
Second, ensure your public DNS zones are DNSSEC signed. If your DNS zone is hosted with your registrar, this is often a single click to enable (again, this is often disabled by default). Once enabled, nothing else to do, and any existing automation/APIs/etc will continue to work as expected. If your DNS is hosted by someone other than the registrar (like Azure DNS, Windows Server DNS, etc), it’s a two-step process. First, enable DNSSEC signing on your hosting provider (again, usually just a single click). That will then give you one or two records to upload to the registrar. Second, upload those DNSSEC records to your registrar. Again, if your using any modern DNS cloud hosting or on-premises server product, it’s very easy to setup and existing automation/APIs/dynamic updates/etc don’t break. Unless you’re still manually editing BIND text files, long gone are the days of managing crypto keys and hand-signing zone files.
In total, it’s a fairly small lift for an organization or tech-savvy individual to set up. Similar to antivirus software, most days it sits there quietly, seemingly doing nothing… except that one time when it saves you from a very bad day. So don’t delay, deploy DNSSEC today!
https://www.adamstas.com/please-use-dnssec/
Dan Goodin
Steve Syfuhs
BrianKrebs
