What is DNSSEC?

DNSSEC stands for Domain Name System Security Extensions, and it is a technology used to protect information on the Domain Name System (DNS) which is used on IP networks. It provides authentication for the origin of the DNS data, helping to safeguard against attacks and protect data integrity.

How DNSSEC works

The DNS turns domain names, or website names, into internet protocol (IP) addresses. These are unique identifiers that help computers around the world access the information quickly. DNS security adds a set of extensions for increased protection

These security extensions include:

  • Origin authentication of DNS data: this ensures that the recipient of the data can verify the source.
  • Authenticated denial of existence: this tells a resolver (responsible for translating the domain name into an IP address) that a certain domain name does not exist.
  • Data integrity: this assures the data recipient that the data has not been changed in transit.

Why do we need security in DNS?

A DNS helps point web traffic to the right destination. It is used by everyone, everywhere and all internet traffic flows through it. For this reason, it is a highly sensitive system which is exposed to many threats from cyber attackers that aim to take control of a DNS, to infect and extract all data from it.

Many modern enterprises are often vulnerable to DNS server security risks because they only use a couple of DNS servers. As a result, this may leave them incapable of protecting against volumetric attacks, whereby large amounts of traffic to a website may cause servers to crashpreventing users from finding the website.

Besides compromising the way a DNS works, a malicious attack can also aim to exploit security vulnerabilities on the server that runs the DNS services, extracting valuable data such as passwords, usernames and other personal information.

These represent serious issues for companies, and make DNS security a critical component to ensuring online security.

Common DNS security threats

Without adequate DNSSEC, enterprises may be exposed to:

  • Distributed denial of service (DDoS) attacks: A DDoS takes advantage of multiple systems’ security vulnerabilities, such as those compromised by malware, and sends large volumes of traffic to a website or web-based application. These may cause servers to crash and render the website or application unusable. These attacks can affect customers and potentially cause a loss of revenue. Today’s DDoS attacks are becoming more sophisticated, attacking deeper into the application layer, whereas previously they only affected the outer network and transport layers.
  • Amplification attacks: This is when hackers exploit vulnerabilities in a DNS server to turn smaller queries into much larger ones, which again, can crash servers. An amplification attack is a type of reflection attack, which involves flooding public DNS with multiple UDP (user datagram protocol) packets. These packets are inflated with the aim of crashing servers. The term “reflection” refers to when DNS resolvers elicit a response to a fake IP address, which is sent out as a DNS query as part of the attack.

Fast secure DNS with Akamai

Akamai's Edge DNS cloud-based solution delivers 24/7 DNS availability and helps to fend off large-scale DDoS attacks. Designed for use as either a primary or secondary DNS service, it is built on a globally distributed network and provides a highly scalable platform for maximum protection.

Edge DNS accelerates DNS resolutions by directing users to a high performing DNS network for better responsiveness. The Akamai Intelligent Edge Platform uses thousands of servers worldwide to protect against large-scale DDoS attacks, helping to:

  • Prevent DNS forgery and manipulation.
  • Achieve DDoS protection by absorbing attacks
  • Maintain legitimate user access while under DDoS attack.
  • Enable 100% uptime service agreements.
  • Achieve faster and more reliable DNS resolution by using thousands of servers worldwide instead of simply relying on two or three servers.
  • Guarantee 24/7 DNS availability using Akamai's scalable, globally distributed platform.
  • Simplify DNS infrastructure management with Akamai Control Center and open APIs.
  • Control costs with pricing based on number of zones rather than on the number of requests.

Learn more about Akamai solutions for DNS security, as well as solutions for application hosting, media content delivery, and more.