2 min read

What is DNSSEC?

Ryan Ozawa January 25, 2021

Email security
Diagram of connected cloud servers and network nodes
In the early days of the Internet, architects of what would become the World Wide Web were primarily concerned with connecting a global network of servers and computers and making it easier to find and retrieve information. The Domain Name System (DNS) was set up as a global address book of sorts, and even today is how your computer finds and connects to websites. The advent of the Mail Exchange (MX) system similarly optimized how electronic mail is routed around the world. Driven by ideals of openness and accessibility, these systems were quickly exploited by commercial interests to make money, including email spam, phishing, and hacking. It soon became necessary to build security into these foundational technologies.  That's where DNSSEC comes in.

 

The domain name system

First proposed in 1983, six years before the World Wide Web, DNS translates domain names like amazon.com and paubox.com into numerical Internet Protocol (IP) addresses that identify every server, computer, and device connected to the Internet. It's much easier to remember google.com than 142.250.68.100. DNS entries include electronic mail routing information. The problem of email spam was solved in part by tracking which IP addresses were used to send spam and blocking them, and requiring IP warming before new addresses could send email.

 

SEE ALSO: HIPAA Compliant Email: the Definitive Guide

 

But more sophisticated attacks target the DNS system itself. And if the global address book of the Internet can't be trusted, it's impossible to know which systems you can trust.

 

DNS hijacking

Because computers rely on DNS to know where to find each other, hackers often target the DNS system to redirect connections to other servers. This is called DNS hijacking. For example, you may be trying to log onto your bank's website at paubank.com, which the DNS system will normally tell you can be found at 123.456.789. Hackers could "hijack" the DNS directory entry for paubank.com and send you to 123.456.666 instead. If the website at the other end is designed to look like your bank website, you could log in with your username and password and unknowingly compromise your security. There are four basic types of DNS redirection attacks:

 

  • Local: Malicious software (malware) is installed on your computer to change your DNS records and settings.
  • Router: Centralized hardware in homes and businesses, which people often install without changing the factory usernames and passwords, is modified to redirect DNS lookups.
  • Man-in-the-middle: Connections are intercepted between a user and a DNS server to replace correct IP addresses with IP addresses of malicious websites.
  • Rogue DNS server: Setting up or taking over a DNS server to have control over the entire address book, again to direct users to malicious websites.

SEE ALSO: How do I identify my domain host?

 

What is DNSSEC?

In order to restore trust in the DNS system, new systems and standards were implemented to add layers of security and authentication. One of the organizations entrusted with establishing Internet standards is the Internet Engineering Task Force ( IETF), an open, international community of network designers, operators, vendors, and researchers focused on the smooth operation and evolution of the Internet. In 1999, the IETF proposed Domain Name Security Extensions (DNSSEC) to "provide data integrity and authentication . . . through the use of cryptographic digital signatures." With cryptographic digital signatures, DNS servers can detect forged or manipulated DNS data, and compare the information provided against a designated authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including MX records. Although DNSSEC makes the DNS system more secure, it also adds complexity to its overall operation, and it is not universally supported. Google provides open, DNSSEC capable DNS servers via its Google Public DNS service.
 
Try Paubox Email Suite for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Illustration of a head with a pink brain containing an envelope icon against a chalkboard background

What is a smart host?

Ryan Ozawa : January 19, 2021

Back in the early, idealistic days of the Internet, sending an email was one of the most basic activities users could perform, and the entire...

HIPAA compliant email
Read More
email icon floating on a digital screen

What is greylisting?

Picture of Kirsten Peremore Kirsten Peremore : August 15, 2025

Greylisting is a method used in email management to combat spam. It operates by temporarily rejecting emails from unknown senders. An article titled,...

Email security
Read More
Digital padlock icon with glowing circuit board and binary code background

What is transport layer security (TLS)?

Ryan Ozawa : April 29, 2021

Technology is rife with acronyms, and they're prevalent in the cybersecurity field, especially where technology and government collide. We've covered

Email security
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.