How DNS works
First of all we are going to explain what DNS is and how it works. This way we can better understand what DNSSEC is for. They are the acronyms of Domain Name System, that if we translate it into Spanish we would say Domain Name System.
When we surf the Internet we simply have to put the name of the site in the browser and we enter the page. For example redeszone.net to enter RedesZone. But of course, there is actually something else behind that. This is precisely where DNS comes into play.
What DNS does is translate those domain names, as would be RedesZone, in the IP address that corresponds to the site. In this way we do not have to remember a large number of numbers without much sense, which would be the IP, but simply the name.
For this they will use a database, which has to be as up-to-date as possible. They basically act like a phone book but to link websites to the corresponding IP addresses.
What is DNSSEC?
So what does DNSSEC mean? How does it relate to what we have explained about DNS servers. We can say that it has a direct link, but that it allows to improve security. Add a extra layer of protection to DNS servers that a web domain has.
The use of DNSSEC It is based on digital signatures that the DNS client will verify and thus verify that this information is correct and corresponds to the authorized DNS servers.
What DNSSEC does is digitally sign those records for DNS lookup. It uses public key cryptography such as RSA and DSA for this. It also uses algorithms like SHA-1, SHA256 and SHA512. All this serves to verify that the data has not been modified and that the corresponding data is being sent and received.
Prevents from security attacks
The use of DNSSEC is important in order to avoid certain security attacks In the net. As we have seen, you can verify that what we are requesting is really the correct thing to do. This prevents, for example, we end up on a website that has been created solely to steal passwords.
This is what is known as an attack Phishing. We access a web page to open the mail, a social network such as Facebook or even enter the bank account, but in reality we are being referred to a site that pretends to be the original and that is designed to steal the access codes and the username.
You need to use DNS that support DNSSEC
Keep in mind that in order to surf the Internet with the DNSSEC protocol It is essential to use DNS servers that are compatible. We can easily change this and for example we can use Google’s, which are compatible.
To change the DNS servers in Windows we have to go to Start, we go to Settings, we go to Network and Internet, Change adapter options, we right-click on the network card that interests us and we click Properties . Later we mark Internet Protocol version 4 (TCP / IPv4) to, once again, click Properties. A new window will open and you have to click on Use the following DNS server addresses. There we have to fill in with the ones we are going to use.
How to know if a page uses DNSSEC
But do all web pages have DNSSEC protocol enabled? It is possible to know if a website has it activated or not. This will help us to have a better understanding of the security of the pages we are browsing.
There are several online tools that allow us to know if any website has the DNSSEC protocol implemented. We must indicate that, although it is an interesting security measure, the truth is that there are many pages that nowadays do not include it. This does not mean that this site is dangerous, insecure or that it can be used to steal passwords and data, but it does mean that it does not have that extra layer of security.
For find out if a website uses DNSSEC we can enter DNSSEC-Analyzer. It is a free service that belongs to Verisign. Once inside we will find an initial page as we can see in the image.
When we write the name of the domain that interests us and we give Enter, a series of information related to that domain will automatically appear. If we see that something appears as we see in the image below, it means that that specific website does not have configured DNSSEC.
An alternative option we have is DNSViz. Its operation is similar to the previous one we have seen. We have to put up the corresponding web domain and we give it to start. It will automatically show us a series of information to verify if you have DNSSEC configured or not.
We can also find a extension which is available for browsers like Chrome or Firefox. This is DNSSEC-Validator. We can install it in the browser and it will tell us in a simple way if that page we are visiting is compatible with DNSSEC or not.
It will show us this information in a simple way as a bar icon browser. This callsign will allow us to know at all times whether or not that website we are on is compatible. It will appear in green if it is and in red if it is not.
In short, DNSSEC is a protocol that complements DNS to add an extra layer of security. We have explained what it consists of, why it is interesting that the pages have it and how we can know if any website is compatible or not.