DNSSEC and DANE make the internet more secure

19.05.2017

According to the Febelfin banking federation, 475 internet banking fraud cases were recorded in 2016. This is an increase of almost 70 percent compared to 2015. DNSSEC and DANE can make the internet more secure.

DNS (Domain Name Server) is a system that ‘translates’ domain names to IP addresses connected to it and vice versa. When you enter the name of a website in your browser, your computer (the client) consults a name server for this domain name before contacting the web server at the IP address of that domain. You need DNS to surf, but also to send e-mails, to transfer files, for online shopping, internet banking, etc.
 
The DNS protocol was designed in the 1970s for military purposes. Most importantly, it had to be robust, security was not provided in the original design. When a DNS server does not have a secure configuration or there is a bug in the DNS software, fraudsters are able to infect the temporary cache of name servers with false information. If this happens, a domain name is no longer connected to the right IP address and you are not directed to the website you wanted to visit. In these cases you might end up on 'fake sites’ that look like the website you intended to visit. If you enter your personal details on these sites they can be misused.

From DNS to DNSSEC

Domain names can be protected with DNSSEC. This is a cryptographic security for the DNS protocol. Clients who support this expansion receive address information with a digital signature from the name server. The integrity of the name server and the transport of the DNS information are protected. When you visit a website or send an e-mail, this digital signature is checked with security keys for that specific domain. If the key is correct the website opens in your browser. If the supplied information is not correct you don’t see anything, the requested page seems to be unavailable. DNSSEC is one link in the security chain of a website in the same way as an SSL certificate and an https connection. More information about the exact operation of the protocol is available in our knowledge database.

DNSSEC and DANE

Visitors of domain names protected with DNSSEC are thus better protected against being redirected to false IP addresses. It makes internet traffic more secure but is not the ultimate security solution. For instance, it offers no protection against URL spoofing, i.e. impersonating a URL to mislead surfers and making them believe they are visiting the real site. Certificates can be forged but still the lock in your browser turns green.
With DANE (a standard based on DNSSEC for the security of web and mail connections) the authenticity of the server certificate is verified. In this kind of domain name a record is put in DNS and protected by DNSSEC so that it cannot be manipulated by third parties.

Remain alert

Of course, internet users have to remain vigilant and not blindly trust e-mails that seem to come from their bank. Don't open any attachments of e-mails you don't trust and don't accept requests of websites that ask for your login data or passwords.

server

A computer program or hardware device that provides services to other computer programs or users.

cache

Is a place where data is stored temporarily. 

Name server

server translating a domain name into an IP address. If you insert a domain name (ex. dnsbelgium.be) in your browser for the first time, your computer will ask the name server, linked to the webpage you search, to which IP address he has to navigate.

Browser

program that makes it possible to access and read web pages. Internet Explorer, Google Chrome, Mozilla Firefox and Safari are some well-known browsers.

Spoofing

the stealing of a computer’s identity. By making some technical adjustments, a computer is able to intercept all traffic from and to another computer. In this way the computer 'in the middle' is able to "eavesdrop on" the communication between two computers.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa. 

DANE

DANE is a standard based on DNSSEC for the security of web and mail connections

DNSSEC

(Domain Name System Security Extensions) is a security extension to the existing DNS protocol: it is designed to stop criminals from diverting internet users to forged websites.
DNS Belgium
Security