[Security Mod] DNSSEC
Categories:
2 minute read
INFO
At time of writing (Nov 2023) Azure DNS does not support DNSSEC and as I’m using Azure DNS to manage the name records for this CRC I have not got it turned on.DNSSEC (Domain Name System Security Extensions) is a security protocol used to add a layer of security to the Domain Name System (DNS). DNSSEC uses digital signatures to ensure that the responses received from DNS servers are authentic and have not been tampered with. This helps to prevent attacks such as DNS cache poisoning, where attackers can redirect users to fake websites by modifying DNS responses. When DNSSEC is enabled, DNS servers sign each response with a private key, and these signatures can be verified by clients using the corresponding public key. This provides a way for clients to ensure that the DNS response they receive is legitimate and has not been altered.
Without DNSSEC
If I use DIG to query azureexample.grinntec.net we get just the standard list of DNS data for that site which will be a few as it is hosted on Azure.
$ dig azureexample.grinntec.net +short
crctestwebsiteprod-cdn-endpoint-01.azureedge.net.
crctestwebsiteprod-cdn-endpoint-01.afd.azureedge.net.
star-azureedge-prod.trafficmanager.net.
shed.dual-low.part-0016.t-0009.fdv2-t-msedge.net.
part-0016.t-0009.fdv2-t-msedge.net.
13.107.238.44
13.107.237.44
When DNSSEC is enabled for the domain and we add +dnssecto the DIG command we can see we get a new value.
$ dig azureexample.grinntec.net +short +dnssec
CNAME 13 3 1799 20230427000000 20230406000000 41693 grinntec.net. yZ5UC6NSlboR9syVNGq0gYhVXwC/8X2EEaV5ZHUaLBBVuCLU2bXq1ev6 a20k1W6veXxjWx7f5KZ1mR1wyoQW9Q==
crctestwebsiteprod-cdn-endpoint-01.azureedge.net.
crctestwebsiteprod-cdn-endpoint-01.afd.azureedge.net.
star-azureedge-prod.trafficmanager.net.
shed.dual-low.part-0016.t-0009.fdv2-t-msedge.net.
part-0016.t-0009.fdv2-t-msedge.net.
13.107.237.44
13.107.238.44
The DNSSEC value is hard to read in one go. The table below breaks it down to component parts and exlains what each value means.
| Value | Meaning |
|---|---|
| CNAME | The record type being queried |
| 13 | DNSSEC algorithm used to sign the record |
| 3 | DNSSEC tag key, idetifies the public key |
| 1799 | TTL for the cache |
| 20230427000000 | Expiration date of the signature |
| 20230406000000 | Creation date of the signature |
| 41693 | Expiration date in a the MSFT Excel serial date format |
| grinntec.net | Domain name of the authorative DNS server that signed the record |
| {RANDOM STRING} | DNS signature, base64-encoded cryptographic data |
Lastly, if you DIG again the domain itself you can identify if it has DNSSEC enabled or by checking the values in the flagssection. if the domain has DNSSEC enabled then it will have flag ad.
$ dig grinntec.net
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> grinntec.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62267
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...DNS record continues