Can you clarify what fixes are being implemented to the DNS system (via DNSSEC) to make it more secure? Do enterprises...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
need to take any action in turn or will these DNS security improvements be transparent?
Attackers sometimes attempt to manipulate DNS records through cache-poisoning attacks that insert malicious false DNS records into a server. Attackers hope these records will be distributed to client machines, which will then unknowingly guide users to malicious webpages.
Until recently, there was little that could be done on the client side to defend against this type of attack. But the release of the DNS Security Extensions (DNSSEC) changes that, allowing for the application of digital signature technology to DNS records, and providing the end user with assurance that the record is authentic.
The idea to secure DNS has been around for over a decade, but it took time to work out the details, and adoption has been quite slow. Over the past year, the idea picked up some steam, especially after the publicity surrounding the DNS vulnerabilities that Dan Kaminsky announced at 2010 Black Hat Briefings conference. Major network and hosting providers such as Comcast and GoDaddy have joined the federal government in deploying DNSSEC.
If you want to get started with a DNSSEC implementation in your enterprise, there are two things you’ll need to consider: modifying your endpoints to recognize DNSSEC records and modifying your own DNS entries to support DNSSEC lookups.
On the client side, Microsoft Windows 7 includes built-in DNSSEC functionality that may be managed through Active Directory Group Policy Objects. The drill tool included in the ldns package for Linux systems provides DNSSEC lookup and troubleshooting functionality as well. There are also a number of end -user tools that support the addition of DNSSEC validation to popular applications such as Firefox, Thunderbird and SSH.
You also may wish to add DNSSEC validation support to your own DNS entries. If you’re using a DNS hosting provider, check with them to determine whether they support DNSSEC records. Otherwise, if you’re hosting your own DNS records, there are several DNSSEC tutorial resources you can consult. Read the Microsoft DNSSEC Deployment Guide for Windows Server 2008 R2 or the DNSSEC section of the BIND 9 Administrator’s Guide.
Dig Deeper on Information Security Incident Response
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.