DNS, DHCP & IP Address Management appliances
For Microsoft DNS & DHCP servers
For open source DNS & DHCP servers
Cloud-based visualization of analytics across DDI architecture
Manage multi-vendor cloud DNS servers centrally
RIR Declaration Management and Automation
Automated network device configuration and management
Centralized visibility over all your clouds
A single source of truth for your network automation
Why DDI is an Obvious Starting Point
DNS Threat Intelligence for proactive defense
Intelligence Insights for Threat Detection and Investigation
Adaptive DNS security for service continuity and data protection
Improve Application Access Control to prevent spread of attacks
Protect users and block DNS-based malware activity
Carrier-grade DNS DDoS attack protection
Optimize application delivery performance from the edge
for Proactive Network Security
Visibility, analytics and micro segmentation for effective Zero Trust strategy
Enable work from anywhere by controlling access, security and data privacy
Simplify management and control costs across AWS, Azure and GCP environments
Policy enforcement, risk management, and automation for simplifying compliance
Risk-free migration to reduce DDI complexity and cost
Move risk-free to improve performance, security and costs
Automate management, unify control and strengthen security of connected devices
Protect your network against all DNS attacks, data exfiltration and ransomware
Enable zero touch operations for network management and security
Improve resiliency, deployment velocity and user experience for SD-WAN projects
Integrated DNS, DHCP, IPAM services to simplify, automate and secure your network.
Simplify design, deployment and management of critical DDI services for telcos
Optimize administration and security of critical DDI services for healthcare
Simplify and automate management of critical DDI services for finance
Simplify and automate management of critical DDI services for higher education
Simplify and automate management of critical DDI services for retail
Simplify Management and Automation for Network Operations Teams
Elevate SecOps Efficiency by Simplifying Threat Response
Open architecture for DDI integration
Technology partnerships for network security & management ecosystems
Extend security perimeters and strengthen network defenses
Submit requests for temporary licenses
Submit access requests for EfficientIP knowledge platforms
Submit membership requests for EfficientIP Community
Strengthen Your Network Protection with Smart DNS Security
Customer-centric DDI project delivery and training
Acquire the skills needed to manage EfficientIP SOLIDserverโข
Identify vulnerabilities with an assessment of your DNS traffic
Test your protection against data breaches via DNS
Dedicated representation for your organization inside EfficientIP
Explore content which helps manage and automate your network and cloud operations
Read content which strengthens protection of your network, apps, users and data
Learn how to enhance your app delivery performance to improve resilience and UX
Why Using DNS Allow Lists is a No-Brainer
This enterprise-grade cloud platform allows you to improve visibility, enhance operational efficiency, and optimize network performance effortlessly.
Who we are and what we do
Meet the team of leaders guiding our global growth
Technology partnerships for network security and management ecosystems
Discover the benefits of the SmartPartner global channel program
Become a part of the innovation
The latest updates, release information, and global events
DNSSEC, or the Domain Name System Security Extensions suite, is used to strengthen DNS protocol security, because the DNS protocol is by design not secure. In particular, it doesnโt check for credentials before accepting an answer. But what is DNSSEC? How does DNSSEC work? In this DNSSEC guide we explain what it is, why itโs important for network security, how it works, and the benefits it brings.
DNSSEC enhances DNS security by adding a layer of trust through authentication using digital signatures based on public key cryptography. Rather than signing the DNS queries and responses, with DNSSEC the DNS data itself is signed by the owner of the data.
Each DNS zone is assigned a public/private key pair. The private key, kept secret by the zone owner, is used to sign the DNS data within the zone, producing digital signatures. The corresponding public key is published within the zone and can be accessed by anyone. When a recursive resolver queries data from the zone, it also retrieves the public key and uses it to verify the signature on the DNS data. If the signature is valid, the resolver confirms the data is authentic and returns it to the user. If the signature check fails, the resolver treats the data as potentially compromised, discards it, and returns an error to the user.
In a nutshell, a server offering DNSSEC for its zones and records allows:
DNSSEC is generally considered to be part of the best practices for DNS Security. It comes on top of the standard recursion process used during resolution. It uses the opposite path, from the record up to the root zone during the validation process, as shown on the diagram further down.
DNSSEC helps prevent DNS attacks like DNS cache poisoning, DNS spoofing, and DNS tunneling. DNSSEC does not protect the entire server, it only protects the data exchanged between signed zones. As a reminder, DNSSEC does not provide privacy.By providing origin authentication, DNSSEC protects the DNS information exchanged between name servers configured with DNSSEC. DNSSEC ensures data protection from one signed zone to the other, whether the answer to the request is successful or not.
DNSSEC is based on public key cryptography, certificates and digital signatures. DNSSEC secures the Domain Name System by attaching digital signatures to standard DNS records. These cryptographic signatures are kept on DNS name servers together with conventional record types like A, AAAA, MX, and CNAME. By verifying a recordโs corresponding signature, you can ensure it originated from its authoritative name server and hasnโt been tampered with in transit – thus protecting against forged records from man-in-the-middle attacks.
To enable signature verification, DNSSEC introduces several new DNS record types:
The global picture of components and records is presented in the following diagram:
The process of certification is mainly based on digital signature. Each record is supplemented by its signed hash version which can be used by the client or the recursive DNS server to verify the record. Public keys are published in records to allow the requester to validate signatures using the principle of digital signature: private key used to produce a signature that can be validated using the public key.
DNSSEC controls the integrity of records gathered in DNS answers. Once receiving a DNS answer from a request on a record, the client can validate the integrity of this record. It is possible to validate the integrity of records provided from a cache or from an authoritative answer.
Integrity control is based on cryptography using signatures: a hash of the record signed with the private key can be verified with the public key, the record and the signature. The signature is applied to a hash of the record, allowing signature on any kind of record of any length.
Each DNS zone has a key set (public and private parts – the ZSK) that is used to sign the records contained within the zone. The private part of the key is kept secured by the zone owner. The public part is published as a record (DNSKEY ZSK – id 256).
For each record of the zone, a specific record signature is also published in the zone – the RRSIG record. This record is published in order for the client to validate the integrity of the answer content. The content of the RRSIG record is a signature of the record hash.
The verification process guarantees that the record has been signed with the ZSK in the zone:
DNSSEC ensures that client queries are answered by the proper zone. In order to be sure the key used to sign the record is valid and associated with the legitimate zone, we use the following verification process:
In order to ascertain the DNS record signature is fully valid, we can reiterate the validation through the DS record up to the DNS root servers. Since all domains are linked together in the DNS hierarchy, the KSK key of each is reported in the DS record of the upper domain. The root domain cannot be validated through the same principle since the DS key is not stored in another domain. The content of the root anchor keys should be gathered through another channel.
The process where cryptographic keys are used to sign other cryptographic keys is known as a chain of trust. The public key at the start of this chain is referred to as a trust anchor. Resolvers maintain a list of these trust anchors – public keys for specific zones that they inherently trust. Typically, most resolvers are configured with a single trust anchor: the public key for the root zone. By trusting this top-level key, a resolver can establish a chain of trust throughout the DNS hierarchy, provided that each zone along the path is properly signed.
DNSSEC acts as a robust defense against DNS cache poisoning and DNS spoofing, ensuring that the information returned by a DNS resolver truly originates from the authoritative nameserver. Through the use of cryptographic signatures, DNSSEC verifies that DNS responses are genuine and unaltered, preserving the integrity of the data.
Additionally, by authenticating DNS information, DNSSEC helps prevent users from being redirected to malicious websites by cybercriminals, reducing the risk of traffic manipulation via DNS queries. Although it doesnโt protect against all types of cyber threat – such as DDoS attack – DNSSEC significantly improves internet security by confirming the legitimacy of DNS data.
Implementing DNSSEC involves a meticulous setup process and multiple operational modes, which can increase the complexity of managing and securing DNS servers. After activation, it may take up to 24 hours for the changes to fully propagate and for the security features to become active across the internet.
Nevertheless, these challenges do not outweigh the value of DNSSEC. Despite its complexity, the significant security benefits it provides make DNSSEC a valuable investment for organizations focused on strengthening their online defenses.
EfficientIPโs unique 360ยฐ DNS security technology protects organizations against volumetric, exploit and stealth attacks for both public and private DNS infrastructures. As part of this technology, EfficientIP SOLIDserverโข offers a complete solution to easily deploy and maintain DNSSEC.
Key management has been simplified to greatly accelerate rollout of DNSSEC. SOLIDserverโข enables you to manage your DNSSEC deployment from a central point. At the same time, the user-friendly Web interface provides you full control over enforcement of corporate standards. SOLIDserverโข helps you overcome tedious tasks while eliminating complexity and the risk of errors due to command-line operations.
By offering streamlined DNSSEC implementation, EfficientIP simplifies the complex process of adopting DNS Security Extensions, thus helping organizations achieve cybersecurity regulatory compliance for DORA, GDPR, and NIS2. Key requirements related to zone signing and data integrity can be met effortlessly, ensuring trust and security across the DNS infrastructure.
Yes, DNSSEC is essential for verifying the authenticity of DNS records and protecting against DNS hijacking attempts. It plays a crucial role in maintaining the trustworthiness of DNS data.
DNSSEC improves internet security by ensuring the authenticity and integrity of DNS data. It uses cryptographic digital signatures to verify that responses to DNS queries come from a legitimate source and have not been altered in transit. By securing this foundational layer of internet communication, DNSSEC helps maintain trust in domain name resolution and reduces the risk of users being misled or compromised through DNS-based attacks
DNSSEC protects against several types of attacks that exploit vulnerabilities in the DNS system. Most notably, it defends against cache poisoning and man-in-the-middle attacks by using digital signatures to ensure the authenticity and integrity of DNS data. This prevents attackers from redirecting users to malicious websites by spoofing DNS responses.
DNSSEC defends against DNS-based attacks by attaching cryptographic signatures to DNS records, allowing resolvers to verify the authenticity and integrity of the data before delivering responses to users. This verification process helps block unauthorized alterations and forged DNS data.
In DNSSEC, the chain of trust refers to a hierarchical structure in which each DNS zone is validated by the zone above it. This structure creates a secure verification path from the root zone all the way down to individual domains, ensuring the legitimacy of DNS information throughout the hierarchy.
Implementing DNSSEC can be difficult due to potential incompatibility with existing infrastructure, the complexity of cryptographic key management, and the resource demands of deployment and maintenance. These issues can complicate or delay successful DNSSEC adoption.
After configuring a domain name for DNSSEC, it is important to perform a DNSSEC check to test it is working as expected. Checking the DNSSEC status of a domain name via a DNSSEC test is fairly quick and easy via a DNSSEC checker tool.
Manipulation of DNS messages can redirect IoT devices to a malicious service, jeopardizing user privacy and safety. DNSSEC helps ensure integrity and authenticity of DNS data in IoT networks: the DNS resolver in IoT systems uses the DNSKEY record to verify the cryptographic signatures in DNS records. This provides protection against DNS spoofing (cache poisoning), man-in-the-middle attacks (MITM), and botnet attacks used for DDoS attacks.