After launching the Google Public DNS three years ago speed up and secure the internet, Google has announced a big step that will help in achieving its security goals. Google now allows DNSSEC or Domain Name System Security Extensions validation on their Google Public DNS resolvers. Earlier Google did not perform validation and instead passed on DNSSEC messages. With the new system in place Google will be able to protect users from DNS based attacks. It will also be able to identify and reject invalid and suspect responses from DNSSEC protected domains.
What does this mean? What is DNS role?
DNS is responsible in translating human readable domain names into IP addresses so that computers can read then and access them. This system, although critical, was not secure, and considerable portion of attacks targeted the name resolution process and thus directing users to malicious websites by returning malicious website IP addresses for genuine DNS queries.
DNS cache poisoning was the most common type of attack which came about by polluting cache of DNS resolvers. To thwart such types of attacks resolvers have to verify and authenticate the response.
How does DNSSEC help?
DNSSEC uses public key cryptography and digital signatures to verify authenticity of DNS responses. DNS zones maintain public and private key pairs. For each DNS record a specific digital signature is created and encrypted by using the private key. As for the corresponding public key, it is tested for genuineness via a series/chain of trust keys of higher level zones. Thus response tampering is taken care of as it is difficult to forge signatures (digital) without access to private keys. Responses with incorrect digital signatures get rejected automatically.
This is one giant leap in securing the internet. By confirming data integrity and data origin the DNSSEC works in tandem with other security mechanisms like SSL. The same infrastructure can also be used in case of email and other internet applications.
As of now over 130 billion DNS queries are served by the Google Public DNS. At times this volume goes up to 150 billion queries from more than 70 million IP addresses daily. Having said this it is worth noting that only 7 percent client side queries are DNSSEC enabled, of which only 3 percent request confirmation/validation and only 4 percent DNSSEC data without confirmation/validation. From the name server side only 1 percent DNS queries are signed. This clearly shows that there is a long way to go.
For DNSSEC to be effective action from both Authoritative name servers and DNS resolvers is necessary. DNS resolvers of ISPs and other public resolvers have to start confirming DNS responses and domain owners need to sign their domains. Only a third of all top domains are signed as of now. Second level domains still remain unsigned. Google on its part is asking all parties to deploy DNSSEC to protect end users.