By way of simple explanation, every website has an IP (internet protocol) address and if you were to type an IP address into your web browser’s address bar then you would be directed to that web site. However, using IP addresses is a bit impractical so URLs are used as they are more memorable. The Domain Name System (DNS) makes the link between the IP address and web address you type in for you and redirects you to the site you requested.
This process takes place at local DNS root servers where the translation and redirection requests are processed. There are about 200 of these servers worldwide which can currently be hacked into relatively easily, as security was not a big consideration when the system was set up in 1983, resulting in users being redirected to websites that they did not request. A recent example was by the Iranian Cyber Army that ‘hacked’ into Twitter and Baidu and redirected users to their own web page.
Whilst this group’s attack was purely political, they could easily have redirected users to websites to infect their computers with malware.
These security problems have been around for a while and the US government named making DNS security as one of the key points in its National Strategy to Secure Cyberspace paper back in 2003!!
With Domain Name System Security Extension (DNSSEC), this sort of attack would not have been possible. DNSSEC is a way to protect DNS information and ensure that IP addresses and URLs are from a verified source – the root server will wait for a digitally signed response from the web site requested. Without a signed response the user will not be redirected to the requested URL.
DNSSEC has already been deployed in a number of countries, e.g. Bulgaria and Sweden, and will be rolled out to all 200 DNS root servers over the next six months or so.
You will only need to prepare for this changeover if you own a website, and then it will probably be taken care of for you by your hosting company, and uses a process similar to SSL certificates.Tweet