How does DNS works?
DNS Client send DNS Request of the requester host server to Recursive DNS Server
Recursive DNS server send DNS Request to Root DNS Server
Root DNS Server resolve and provide IP Address of the Authoritative DNS Server
Recursive DNS server send DNS Request to Authoritative DNS Server
Authoritative DNS Server resolve and provide IP address of the requested host server
Recursive DNS server send IP address of the requested host server to DNS Client
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. However, in order to eliminate the vulnerability from the Internet, it must be deployed at each step in the lookup from root zone to final domain name (e.g., www.icann.org). Signing the root (deploying DNSSEC on the root zone) is a necessary step in this overall processii. Importantly it does not encrypt data. It just attests to the validity of the address of the site you visit.
Why do you need DNSSEC?
DNSSEC is intended to protect against ‘man-in-the-middle’ DNS spoofing attacks and ‘cache poisoning’ by ensuring DNS information is validated cryptographically before end-users traffic are directed to a website.
When users access a website using its domain name e.g. , the system’s DNS resolver will first query for the IP address of the website. When the DNS resolver (e.g. ISP’s resolver) is making its query, it is possible for an attacker to trick the resolver to accept a fake IP address. This is known as a ‘man-in-the-middle’ attack.
Most DNS resolvers also cache the returned IP address to speed up responses for future queries for the same domain name, either from the same user or other users. Therefore, if an attacker has managed to trick the DNS resolver to accept a fake IP address, the fake IP address is now cached by the DNS resolver. This is known as ‘cache poisoning’. When there are subsequent queries of the same domain name by other users (e.g. other users on the same ISP), they will now be re-directed to the fake IP address as they are receiving the cached, and incorrect, IP address as opposed to the legitimate website’s IP.
How to know if the Domain has DNSSEC?
You can check at https://centralops.net/co/DomainDossier.aspx