DNS Security Overview
DNS SECURITY OVERVIEW
WHAT IS DNS
The Domain Name System (DNS) provides name resolution for the Internet, mapping human-readable names (e.g. mycompany.ke) to machine-routable IP addresses. As DNS was designed back in the 1980s when internet was much smaller, security was not a primary consideration in its design and therefore it operates without end-to-end authentication, attackers have leveraged it as a basis for myriad attacks, such as DNS hijacking/spoofing, and cache poisoning to compromise any type of DNS resource records (RRs)
In Summary, the most important DNS functionality is the resolution of domain names to IP address – full-stop.
Domain Name System Security Extensions (DNSSEC) predominate and secure the DNS for substantially all online communications, protecting against attacks at the DNS level as a complement to efforts to secure other layers of the Internet Protocol (IP) stack.
DNSSEC forms a fundamental part of widespread Internet security or at least it would if it was widely adopted. Now it needs to be specifically enabled by DNS operators (Eg Registrars & ISPs) and by domain name owners to curb internet attacks such as woman-in-the-middle attacks or spoofing.
Users should have assurance that when they type in a domain they end up at their desired destination and that is exactly what DNSSEC ensures.
WHAT IS DNSSEC?
The Domain Name System is key to the functioning of the Internet. To improve its security, DNS security extension (DNSSEC) was developed to prove DNS data authenticity and integrity.
IMPACT OF DNSSEC TO .KE
For DNSSEC to work as intended and impact to be substantial, deployment has to span all levels of the DNS architecture. Adoption by all involved actors in the DNS resolution process is therefore essential for success. One big leap forward is to encourage KeNIC registrars on the importance of DNSSEC adoption.
DNSSEC adds two important security features into DNS protocol to guarantee end-to-end data encryption.
- Data origin authentication – verifies data received actually came from the zone where it originated.
- Data Integrity protection – ensures that data is not modified in transit.
WHAT NECESSITATED THE TRAINING
It is within KeNICs mandate as a player in the DNS industry to ensure DNSSEC deployment and uptake by its strategic partners and other members in the region.
Given low uptake of DNSSEC in the region, KeNIC took the initiative to drive this process by ensuring DNS operators at bare minimum enable DNS validation on their recursive name servers.
Current statistics shows that KENYA validation rate is at 25% (ref https://stats.labs.apnic.net/dnssec/KE)
KeNIC management in May 2020 engaged Network Startup and Resource Center (NSRC) to organize DNSSEC capacity building training for KeNIC technical staff, Registrars, Research & education network (REN) and ISPs
NSRC agreed to carry out a Five (5) day online training via zoom channel due to restrictions imposed by the COVID-19 pandemic. Twenty-two participants attended the online Training.
KeNIC successfully conducted a Five-day online DNSSEC Training, being the first of its kind in the world. Participants shared their pleasure and appreciation for being part of the great team that will steer the DNSSEC agenda forward.
DNSSEC Roadmap is in development stage to ensure that there is en-masse DNSSEC deployment by Q2 2021.
FUTURE OF DNSSEC IN KENYA
Over the coming months, KeNIC will examine various options available to entice DNS operators to sign domains using Open-Source products.
There is a strong feeling that this is the right moment to embrace this technology given the signing software has come a long way since 2009, and there are several mature products available – Free of Charge. Eg OpenDNSec which has wide support and have strong communities around them.
The just concluded Training will also trigger a new race among the participants as to who gets its infrastructure signed first.