Google Added DNSSEC Validation To Its Public DNS System

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBA Domain Name System (DNS) is an essential part of World Wide Web (WWW) as it translates Domain Names to the numerical IP Addresses needed for the purpose of locating computer services and devices worldwide.

The Domain Name System Security Extensions (DNSSEC) is a method for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) Networks. It is a set of extensions to DNS which provide to DNS Clients (Resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

In the past Google had launched its own public DNS Resolver known as Google Public DNS. It is claimed by Google that Google Public DNS now supports DNSSEC Validation on its Google Public DNS resolvers. Before that Google was accepting and forwarding DNSSEC-formatted messages but it did not perform validation.

With this new security feature, Google believes that it can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains.

This DNSSEC Validation has not yet been enabled for Non-DNSSEC Aware Clients. Google has launched DNSSEC Validation as an Opt-In Feature and will only perform validation if clients explicitly request it. Google is also working to minimise the impact of any DNSSEC Misconfigurations that could cause connection breakages before it enables Validation by Default for all clients that have not explicitly Opted Out.

If a DNS System is not properly Secured, its can be abused to provide “Malicious Result” to the DNS query maker. If a DNS System is compromised, the IP Addresses of Malicious Websites can be provided instead of the Genuine Websites. The Malicious Website is loaded with numerous Malware that can compromise the System of the person accessing such Malicious Website.

Probably the most common DNS Attack is DNS Cache Poisoning, which tries to “Pollute” the Cache of DNS by injecting Spoofed Responses to upstream DNS queries. Even IP Address Spoofing is possible in many cases.

To counter Cache Poisoning Attacks, Resolvers must be able to verify the Authenticity of the response. DNSSEC solves the problem by authenticating DNS responses using Digital Signatures and Public Key Cryptography. However, even Digital Signatures can be stolen or compromised to further the DNS Attack.

Despite some Limitations, the DNSSEC is a critical step towards securing the Internet. By validating data origin and data integrity, DNSSEC complements other Internet Security Mechanisms, such as SSL. Let us see how this initiative of Google would work out in the future.