DNSSEC: Authenticating DNS Responses
Learn how DNSSEC uses digital signatures to protect DNS from spoofing and cache poisoning attacks.
DNS Cache Poisoning: The Kaminsky Attack
In 2008, researcher Dan Kaminsky disclosed a critical attack against DNS resolvers. The attack exploited the small 16-bit transaction ID field in DNS responses. By flooding a resolver with forged responses containing random transaction IDs, an attacker could statistically succeed in matching the legitimate transaction ID before the real response arrived. A poisoned cache redirects all users of that resolver to attacker-controlled servers for weeks until the cache expires.
What DNSSEC Adds to DNS
DNSSEC (DNS Security Extensions) adds cryptographic authentication to DNS responses. Every DNS record set in a DNSSEC-signed zone is accompanied by a digital signature. Validating resolvers check these signatures before accepting records. A forged or modified response will have an invalid signature and be rejected. DNSSEC protects against cache poisoning and response forgery but does not encrypt DNS queries.
All lessons in this course
- What Makes a Secure Protocol
- SSH: Securing Remote Access
- SFTP and SCP: Secure File Transfer
- DNSSEC: Authenticating DNS Responses