Domain Name System Security Extensions (DNSSEC) is a security technology that will help patch up one of the Internet’s weak points. We’re lucky SOPA didn’t pass, because SOPA would have made DNSSEC illegal.
DNSSEC adds critical security to a place where the Internet doesn’t really have any. The domain name system (DNS) works well, but there’s no verification at any point in the process, which leaves holes open for attackers.
The Current State of Affairs
We’ve explained how DNS works in the past. In a nutshell, whenever you connect to a domain name like “google.com” or “howtogeek.com,” your computer contacts its DNS server and looks up the associated IP address for that domain name. Your computer then connects to that IP address.
Importantly, there’s no verification process involved in a DNS lookup. Your computer asks its DNS server for the address associated with a website, the DNS server responds with an IP address, and your computer says “okay!” and happily connects to that website. Your computer doesn’t stop to check if that’s a valid response.
It’s possible for attackers to redirect these DNS requests or set up malicious DNS servers designed to return bad responses. For example, if you’re connected to a public Wi-Fi network and you try to connect to howtogeek.com, a malicious DNS server on that public Wi-Fi network could return a different IP address entirely. The IP address could lead you to a phishing website. Your web browser has no real way to check if an IP address is actually associated with howtogeek.com; it just has to trust the response it receives from the DNS server.
HTTPS encryption does provide some verification. For example, let’s say you try connecting to your bank’s website and you see HTTPS and the lock icon in your address bar. You know that a certification authority has verified that website belongs to your bank.
If you accessed your bank’s website from a compromised access point and the DNS server returned the address of an imposter phishing site, the phishing site wouldn’t be able to display that HTTPS encryption. However, the phishing site may opt to use plain HTTP instead of HTTPS, betting that most users wouldn’t notice the difference and would enter their online-banking information anyway.
Your bank has no way of saying “These are the legitimate IP addresses for our website.”
How DNSSEC Will Help
A DNS lookup actually happens in several stages. For example, when your computer asks for www.howtogeek.com, your computer performs this lookup in several stages:
- It first asks the “root zone directory” where it can find .com.
- It then asks the .com directory where it can find howtogeek.com.
- It then asks howtogeek.com where it can find www.howtogeek.com.
DNSSEC involves “signing the root.” When your computer goes to ask the root zone where it can find .com, it will be able to check the root zone’s signing key and confirm that it is the legitimate root zone with true information. The root zone will then provide information on the signing key or .com and its location, allowing your computer to contact the .com directory and ensure it’s legitimate. The .com directory will provide the signing key and information for howtogeek.com, allowing it to contact howtogeek.com and verify that you are connected to the real howtogeek.com, as confirmed by the zones above it.
When DNSSEC is fully rolled out, your computer will be able to confirm DNS responses are legitimate and true, whereas it currently has no way of knowing which ones are fake and which ones are real.
Read more about how encryption works here.
What SOPA Would Have Done
So how did the Stop Online Piracy Act, better known as SOPA, play into all of this? Well, if you followed SOPA, you realize that it was written by people who didn’t understand the Internet, so it would “break the Internet” in various ways. This is one of them.
Remember that DNSSEC allows domain name owners to sign their DNS records. So, for example, thepiratebay.se can use DNSSEC to specify the IP addresses it’s associated with. When you computer performs a DNS lookup — whether it’s for google.com or thepiratebay.se — DNSSEC would allow the computer to determine that it’s receiving the correct response as validated by the domain name’s owners. DNSSEC is just a protocol; it doesn’t try to discriminate between “good” and “bad” websites.
SOPA would have required Internet service providers to redirect DNS lookups for “bad” websites. For example, if an Internet service provider’s subscribers tried to access thepiratebay.se, the ISP’s DNS servers would return the address of another website, which would inform them that the Pirate Bay had been blocked.
With DNSSEC, such a redirection would be indistinguishable from a man-in-the-middle attack, which DNSSEC was designed to prevent. ISPs deploying DNSSEC would have to respond with the actual address of the Pirate Bay, and would thus be violating SOPA. To accommodate SOPA, DNSSEC would have to have a large hole cut into it, one that would allow Internet service providers and governments to redirect domain name DNS requests without the permission of the domain name’s owners. This would be difficult (if not impossible) to do in a secure way, likely opening new security holes for attackers.
Luckily, SOPA is dead and it hopefully won’t come back. DNSSEC is currently being deployed, providing a long-overdue fix for this problem.
Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.
- Published 04/29/13