The Domain Name System Security Extensions (DNSSEC) is a set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. Its goal is to defend against techniques that hackers use to direct computers to rogue websites and servers. While DNSSEC has already been deployed for many of the generic and country-level top-level domains (TLDs), adoption at the individual domain level and end-user level has lagged behind.
What is DNS spoofing and hijacking?
In 2008, security researcher Dan Kaminsky discovered a fundamental flaw in the DNS protocol that impacted the most widely used DNS server software. The flaw allowed external attackers to poison the cache of DNS servers used by telecommunications providers and large organizations and force them to serve rogue responses to DNS queries, potentially sending users to spoofed websites or rogue email servers.
That flaw was patched in what was the largest coordinated IT industry response to a security vulnerability up to that time, but the threat of DNS hijacking attacks remained. Since DNS traffic was not authenticated or encrypted, any attacker taking control of a DNS server in a user’s DNS resolution path could serve malicious responses and redirect them to a malicious server — a man-in-the-middle scenario.