ITEC4147›Naming and DNS Security, DNSSEC

Network SecurityTopic 11 of 24

Naming and DNS Security, DNSSEC

4 minread

654words

Beginnerlevel

📘 Naming and DNS Security, DNSSEC — Exam Notes (Network Security)

🌐 1. Introduction to Naming System

🔹 Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical naming system that translates:

Domain names (e.g., google.com) → IP addresses (e.g., 142.250.x.x)

👉 Simple idea: DNS works like the phonebook of the internet.

🎯 2. Why DNS is Important?

Humans use names, computers use IP addresses
DNS makes internet navigation easy
Supports websites, email, and online services

⚠️ 3. DNS Security Issues (Threats)

DNS is a critical target for attackers because it controls internet naming.

🔸 1. DNS Spoofing / Cache Poisoning

Fake DNS data is inserted into cache
Users are redirected to malicious websites

🔸 2. DNS Hijacking

Attacker changes DNS settings
Users are redirected without knowledge

🔸 3. DDoS on DNS Servers

Overloads DNS servers
Makes websites unreachable

🔸 4. DNS Tunneling

Uses DNS queries to secretly transfer data
Used for data theft or malware communication

🔐 4. DNS Security Goals

Ensure data integrity (no tampering)
Ensure authenticity (correct source)
Prevent spoofing attacks
Maintain availability of DNS service

🛡️ 5. DNS Security Measures

🔹 1. Secure DNS Configuration

Restrict zone transfers
Disable open recursion

🔹 2. Firewalls

Filter malicious DNS traffic

🔹 3. Monitoring and Logging

Detect unusual DNS behavior

🔹 4. Encryption (DNS over HTTPS / TLS)

Protect DNS queries from interception

🔐 6. What is DNSSEC?

🔹 Definition

DNSSEC (Domain Name System Security Extensions) is a set of security protocols that adds cryptographic protection to DNS to ensure data is authentic and untampered.

👉 Simple idea: DNSSEC adds a digital signature to DNS data.

🎯 7. Objectives of DNSSEC

Verify DNS data authenticity
Prevent DNS spoofing and cache poisoning
Ensure data integrity
Build trust in DNS responses

🔑 8. How DNSSEC Works

DNSSEC uses public key cryptography.

Steps:

DNS record is created
A digital signature (RRSIG) is generated
Public key is stored in DNS
Resolver checks signature before trusting data
If valid → accept response If invalid → reject response

📊 9. Key Components of DNSSEC

🔹 1. Zone Signing Key (ZSK)

Signs DNS records in a zone

🔹 2. Key Signing Key (KSK)

Signs the ZSK

🔹 3. RRSIG Record

Stores digital signature

🔹 4. DNSKEY Record

Stores public key

🔹 5. DS Record (Delegation Signer)

Links parent and child zones

🧠 10. DNSSEC Validation Process

Resolver requests domain
Receives DNS response + signature
Checks signature using public key
Valid → data accepted
Invalid → data rejected

⚠️ 11. Limitations of DNSSEC

Does NOT provide encryption (only authentication)
Complex to implement
Requires key management
Slight performance overhead

🖼️ 12. Diagram Descriptions

📌 DNS Resolution Flow

User → DNS Resolver → Root → TLD → Authoritative Server → IP

📌 DNSSEC Validation

DNS Response → Signature Check → Accept/Reject

📌 DNS Attack vs DNSSEC Protection

Attack: Fake response injected
DNSSEC: Signature verification blocks it

🧾 13. Real-Life Examples

🌐 Secure websites using DNSSEC-enabled domains
🏦 Banks preventing fake website redirection
📧 Email systems verifying domain authenticity
🏢 Government websites using DNSSEC for protection

📝 Likely Exam Questions

Define DNS and its importance.
What are common DNS security threats?
Explain DNS spoofing and cache poisoning.
What is DNSSEC?
Explain working of DNSSEC with diagram.
What are components of DNSSEC?
Differentiate between DNS and DNSSEC.
What are advantages and limitations of DNSSEC?
How does DNSSEC prevent attacks?
Write short notes on:

DNS hijacking
DNS tunneling
RRSIG and DNSKEY

📌 Quick Summary / Conclusion

DNS translates domain names to IP addresses.
It is vulnerable to attacks like spoofing, hijacking, and DDoS.
DNS security focuses on integrity, authenticity, and availability.
DNSSEC adds cryptographic signatures to protect DNS data.
It ensures users reach the real and trusted website, not fake ones.

👉 In short: DNSSEC strengthens DNS by adding digital signatures, preventing tampering and ensuring secure domain name resolution.

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.

ITEC4147›Naming and DNS Security, DNSSEC

Network SecurityTopic 11 of 24

Naming and DNS Security, DNSSEC

4 minread

654words

Beginnerlevel

📘 Naming and DNS Security, DNSSEC — Exam Notes (Network Security)

🌐 1. Introduction to Naming System

🔹 Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical naming system that translates:

Domain names (e.g., google.com) → IP addresses (e.g., 142.250.x.x)

👉 Simple idea: DNS works like the phonebook of the internet.

🎯 2. Why DNS is Important?

Humans use names, computers use IP addresses
DNS makes internet navigation easy
Supports websites, email, and online services

⚠️ 3. DNS Security Issues (Threats)

DNS is a critical target for attackers because it controls internet naming.

🔸 1. DNS Spoofing / Cache Poisoning

Fake DNS data is inserted into cache
Users are redirected to malicious websites

🔸 2. DNS Hijacking

Attacker changes DNS settings
Users are redirected without knowledge

🔸 3. DDoS on DNS Servers

Overloads DNS servers
Makes websites unreachable

🔸 4. DNS Tunneling

Uses DNS queries to secretly transfer data
Used for data theft or malware communication

🔐 4. DNS Security Goals

Ensure data integrity (no tampering)
Ensure authenticity (correct source)
Prevent spoofing attacks
Maintain availability of DNS service

🛡️ 5. DNS Security Measures

🔹 1. Secure DNS Configuration

Restrict zone transfers
Disable open recursion

🔹 2. Firewalls

Filter malicious DNS traffic

🔹 3. Monitoring and Logging

Detect unusual DNS behavior

🔹 4. Encryption (DNS over HTTPS / TLS)

Protect DNS queries from interception

🔐 6. What is DNSSEC?

🔹 Definition

DNSSEC (Domain Name System Security Extensions) is a set of security protocols that adds cryptographic protection to DNS to ensure data is authentic and untampered.

👉 Simple idea: DNSSEC adds a digital signature to DNS data.

🎯 7. Objectives of DNSSEC

Verify DNS data authenticity
Prevent DNS spoofing and cache poisoning
Ensure data integrity
Build trust in DNS responses

🔑 8. How DNSSEC Works

DNSSEC uses public key cryptography.

Steps:

DNS record is created
A digital signature (RRSIG) is generated
Public key is stored in DNS
Resolver checks signature before trusting data
If valid → accept response If invalid → reject response

📊 9. Key Components of DNSSEC

🔹 1. Zone Signing Key (ZSK)

Signs DNS records in a zone

🔹 2. Key Signing Key (KSK)

Signs the ZSK

🔹 3. RRSIG Record

Stores digital signature

🔹 4. DNSKEY Record

Stores public key

🔹 5. DS Record (Delegation Signer)

Links parent and child zones

🧠 10. DNSSEC Validation Process

Resolver requests domain
Receives DNS response + signature
Checks signature using public key
Valid → data accepted
Invalid → data rejected

⚠️ 11. Limitations of DNSSEC

Does NOT provide encryption (only authentication)
Complex to implement
Requires key management
Slight performance overhead

🖼️ 12. Diagram Descriptions

📌 DNS Resolution Flow

User → DNS Resolver → Root → TLD → Authoritative Server → IP

📌 DNSSEC Validation

DNS Response → Signature Check → Accept/Reject

📌 DNS Attack vs DNSSEC Protection

Attack: Fake response injected
DNSSEC: Signature verification blocks it

🧾 13. Real-Life Examples

🌐 Secure websites using DNSSEC-enabled domains
🏦 Banks preventing fake website redirection
📧 Email systems verifying domain authenticity
🏢 Government websites using DNSSEC for protection

📝 Likely Exam Questions

Define DNS and its importance.
What are common DNS security threats?
Explain DNS spoofing and cache poisoning.
What is DNSSEC?
Explain working of DNSSEC with diagram.
What are components of DNSSEC?
Differentiate between DNS and DNSSEC.
What are advantages and limitations of DNSSEC?
How does DNSSEC prevent attacks?
Write short notes on:

DNS hijacking
DNS tunneling
RRSIG and DNSKEY

📌 Quick Summary / Conclusion

DNS translates domain names to IP addresses.
It is vulnerable to attacks like spoofing, hijacking, and DDoS.
DNS security focuses on integrity, authenticity, and availability.
DNSSEC adds cryptographic signatures to protect DNS data.
It ensures users reach the real and trusted website, not fake ones.

👉 In short: DNSSEC strengthens DNS by adding digital signatures, preventing tampering and ensuring secure domain name resolution.

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.