Enhancing Security with DNSSEC in Domain Name Resolution

When you type in a hostname like www.example.com, your computer's resolver looks in its local cache and uses the information found there, then it sends the query to a name server that it has defined. That DNS server is then responsible for resolving the name and sending the response to your computer. If the DNS server doesn't have the name in the local cache, then it starts at one of the root servers and works its way down to a so-called authoritative name server for that host name. Pretty straightforward -- and, as a distributed database, the DNS (I use "the DNS" to mean "the distributed name service" in general, not a specific DNS server) is pretty effective. But as security wonks, we care about the veracity of the data, and as DNS is deployed today, we can't even begin to verify DNS data.

The DNS is a distributed data base with authoritative servers assigned to zones. A zone is just a named part of the DNS -- google.com is a zone, yahoo.com is a zone, darkreading.com is a zone, .com is a zone (so is "." but never mind that). URLs like www.google.com, www.yahoo.com, are all hosts within their respective zones. The question you should be asking is how do you know that a DNS server, say ns1.google.com, that identifies itself as authoritative for a name (a zone, actually) really is authoritative? Because it says so? Piffle. A DNS server says it's authoritative for a zone if it has a zone configured. You can check me out on this by configuring your DNS server with the google.com zone name, add in a host called www, and then use dig or nslookup to look up the host from your new DNS server. The response will come back as authoritative.

The link for this article located at Dark Reading is no longer available.