Published On -

Strengthening the DNS Infrastructure

through DNSSEC Validation

The Internet relies heavily on the Domain Name System (DNS) to translate human-readable domain names (example.com) into IP addresses (198.51.100.10, DB8:C001:ABCD:09C0:876A:130B:0000:130F),
facilitating the seamless transfer of data and communication across the globe.
While DNS is known for its critical role at the backbone of the Internet,
its vulnerabilities have made it an enticing target for cyber threats.

Why is the DNS critical in the Internet Ecosystem?

The Domain Name System acts as the Internet's directory, mapping human-friendly domain names to machine-readable IP addresses, ensuring users can access websites, send emails, and perform various online activities without needing to memorise complicated strings of numbers such as 198.51.100.10 or DB8:C001:ABCD:09C0:876A:130B:0000:130F. However, the critical nature of DNS and its pervasive use has made it an attractive target for cyber attackers.

What are the Vulnerabilities in the DNS?

Despite its critical role, DNS has vulnerabilities and flaws. Like many other notable Internet protocols, the DNS was designed with minimal security features, making it vulnerable to various attacks. Common attacks include DNS cache poisoning, DNS spoofing, and DDoS attacks on DNS servers. These attacks can result in users being directed to malicious websites, data theft, and service disruption.

Some flaws in the DNS include:

No authentication and Lack of Data
Privacy

Traditional DNS queries are typically sent in plaintext, which means that anyone intercepting network traffic can see the websites you are accessing. This lack of privacy can raise concerns about user data protection.

Centralised
Model

The DNS system relies on a hierarchical, centralised model. While this model ensures consistency and scalability, it can also create single points of failure and vulnerability.

The DNS relies on UDP, a Stateless
Protocol

Because the source IP addresses are blindly trusted, an attacker can trick a DNS recursive resolver into storing incorrect DNS records. The incorrect records will then be used to respond to DNS queries.

This is called “DNS poisoning” attack and can be used to redirect web browsers and other applications to incorrect servers causing a traffic hijack.

Introducing DNSSEC: The Solution for Enhanced DNS Security

DNS Security Extensions (DNSSEC) emerged to address inherent security weaknesses within the DNS infrastructure, providing enhanced security through public key cryptography.


DNSSEC digitally signs DNS data, enabling users to validate the information's authenticity and integrity. Using cryptographic techniques such as public key encryption establishes a trustworthy chain from the root DNS server to end-users, effectively thwarting DNS cache poisoning and providing validated data.

This suite of techniques offers crucial advantages:

Enhanced
Security

DNSSEC leverages public key cryptography to fortify DNS, strengthening its resilience against potential attacks.

Data
Integrity

Users can rely on the accuracy and authenticity of the DNS data they receive.

Threat
Mitigation

DNSSEC helps prevent DNS-based threats like cache poisoning, providing authenticity and integrity verification for DNS data.

Protecting Digital
Integrity

Implementation of DNSSEC safeguards online presence, enhancing user experiences and protecting businesses.

Mitigating DNS Threats with DNSSEC

Preventing Cache Poisoning

DNSSEC's verification mechanisms substantially reduce the risk of cache poisoning attacks, ensuring data retrieved from DNS servers is reliable and unaltered.

Verifying Data Authenticity

DNSSEC's digital signatures authenticate the DNS data, thus ensuring that it originates from a trusted source and remains unaltered during its transmission.

AFRINIC’s Contributions to DNSSEC Infrastructure

As a pivotal entity in shaping a secure online environment, AFRINIC plays a significant role in managing and maintaining Reverse DNS (rDNS) zones for the IP space allocated to its members.

These zones encompass
both IPv4 and IPv6 spaces:

IPv4

41.in-addr.arpa.
196.in-addr.arpa.
197.in-addr.arpa.
102.in-addr.arpa.
105.in-addr.arpa.
154.in-addr.arpa.

IPv6

0.c.2.ip6.arpa.
3.4.1.0.0.2.ip6.arpa.
2.4.1.0.0.2.ip6.arpa.
You can find the published rDNS zone data on our AFRINIC FTP server.

The primary objective of AFRINIC's DNSSEC deployment is to:

Digitally sign
these zones

Publish DS records
in the parent zones.

Accept DS records
from its members.

AFRINIC meticulously crafted an incremental deployment plan for DNSSEC,
allowing scrutiny at every phase:

Phase 1 - Published Unsigned Zones:

  • Initial assessment of the signer's operation and the updated provisioning system.
  • Generation of consistent, signed zones and non-DNSSEC queries on both unsigned and signed zones.
  • DNSSEC queries to the signed zones.
  • Evaluation of the operation of the signer and the updated provisioning system.

Phase 2 - Publish Signed Zones:

  • Transition from publishing unsigned to signed zones.
  • Rigorous testing including zone transfer consistency and DNSSEC queries on all name servers.
You can find the published rDNS zone data on our AFRINIC FTP server.

AFRINIC Contributing to Internet development in Africa

In addition to our technical efforts, AFRINIC is dedicated to capacity building and improving Internet infrastructure resilience in the African region.

We are pleased to report that DNSSEC adoption in Africa is progressing and standing at around 30%. The detailed statistics can be found on the slides of the webinar here.

We also deliver a webinar series to addresses various Internet-related issues, including cybersecurity. We recently hosted a two-part webinar on DNS Security with over 700 attendees. These webinars covered the KINDNS program, which empowers DNS operators to enhance the security and efficiency of their DNS infrastructure. We invite DNS operators who wish to enhance the security and effectiveness of their services to join ICANN’s KINDNS initiative here.

AFRINIC remains committed to strengthening Internet resilience and promoting DNSSEC initiatives in our service region. We acknowledge that there is work to be done to catch up with the gap, and with your support, we can continue to make great strides in securing the Internet in Africa.