Low DNSSEC Adoption Rate Exposes Organizations To Cyberattack
by Arina Smith Technology 28 August 2021
A recent report describes adoption rates of advanced DNS security measures as “inadequate” and “dismal,” terms that seldom appear in security circles. This time, we look under the hood to discover why Domain Name System Security Extensions (DNSSEC) adoption is so weak and how to get access to its powerful capabilities.
Ignored and Devalued, DNSSEC Neutralizes Security Risk
Unfortunately, DNSSEC is not widely used today. As of June 2021, the worldwide rate of DNSSEC adoption is an estimated 26 percent. Whatever DNSSEC shortcomings might be (and there are some), it makes internet communications safer. So, why is it used so seldom?
What is DNSSEC, and how is it useful?
If the modern internet has a critical infrastructure, it’s definitely the Domain Name System (DNS). Developed when the internet was run by academics, it was a small-scale operation, and no one worried about online thuggery. Cybersecurity was not a priority. But as the internet grew by including ever more activities and data, security flaws became plain, and the value of a secure DNS became clear.
To ensure safe communication in this burgeoning environment, IT engineers developed DNSSEC. This set of DNS security extensions makes the internet a safer communications environment by protecting the DNS cache. DNSSEC was developed to address the uncertainty of who is at the other end of your communications. It was and still is seen as a valuable way to stop cyberattacks and certify that the domain name you use is legit.
The usefulness of DNSSEC lies in its ability to strengthen DNS authentication—it protects digital signatures with encryption. Without DNSSEC extensions, attackers can hustle a user from where they wanted to go somewhere else, without the user realizing what happened.
Low DNSSEC engagement means that domain owners give a helping hand to cyber attackers in their quest for disruption and cash. When an organization becomes a victim of domain name hijackings or misuse, consequences are harmful and expensive. So, when it’s time to review and plan enterprise risk management strategies, it’s a good idea to put DNSSEC adoption on the to-do list.
So how does a domain owner secure their piece of the DNS? It’s a two-step process, which involves validating a domain and adding advanced capabilities to strengthen DNSSEC implementation and operations.
Step 1: Validate the domain
Nobody said that validating your top-level domain (TLD) is easy. The complex process is one reason why DNSSEC adoption rates are so low. But using this list of must-do tasks can help you complete the validation process.
First, make sure that your:
- TLD has been signed. Most TLDs (.com, .org, and many country-code TLDs have been signed. Many have not. Check out the full list of signed TLDs to verify that your domain is signed.
- Domain registrar supports DNSSEC. Wherever you registered your domain, its registrar must sign and accept delegation signer records, which include required information about keys used to sign your DNS zone. Your registrar must also provide DS records to the parent domain. (Typically, this is a TLD). You can find a list of registrars supporting DNSSEC here.
Whoever provides your DNS hosting services (your registrar, another company, or yourself) DNSSEC support is required. These days, DNS hosting providers have automated DNSSEC services—all the essential generation and signing steps are handled automatically on your behalf.
- DNS hosting provider supports DNSSEC. Often, a “registrar” also provides “DNS hosting” services. That is, they host your DNS records, permit you to manage them, and publish them to the global DNS. However, you may choose to run your own name servers and manage DNS hosting chores yourself. Whatever your situation, DNSSEC support is a must. Again, many DNS hosting providers automate DNSSEC—all the essential generation and signing steps are handled automatically on your behalf.
But there’s more that you can do to strengthen DNSSEC capabilities.
Step 2: Add advanced capabilities to strengthen DNSSEC implementation and operations.
When you look for modern DNS security solutions (or build your own), consider adding these features and capabilities to your DNSSEC implementation:
- Add machine learning and data analytics to your toolkit. You need automation to avoid or neutralize automated attacks. So, include capabilities that add algorithms that detect, analyze, and predict DNS-based threats.
- Inspect DNS traffic with data analytics. Monitor and analyze DNS traffic with high-volume, high-speed data handling methods.
- Scale up to address advanced DNS exploits. Protect your IT infrastructure against advanced DNS threats by using high-speed, high-volume data analytics, which works well in easy-to-scale, cloud-based environments.
Organizations implement DNSSEC to reduce the risk to their revenue, business operations, and reputation. For example, exploits such as man-in-the-middle attacks expose a business to the risk of lost customer trust. Online health services risk privacy compliance penalties whenever a data breach or data theft occurs. But there’s good news for organizations looking for support that reduces the complexity and risk of DNS security: automated DNSSEC processes, which operate as a service in the background.