Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Google Implements DNSSEC Validation for Public DNS

Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers.

Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn’t actually perform validation.

Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers.

Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn’t actually perform validation.

“With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,” Yunhong Gu, Team Lead, Google Public DNS wrote in a blog post.

DNSSEC“DNSSEC is a critical step towards securing the Internet,” Gu continued. “By validating data origin and data integrity, DNSSEC complements other Internet security mechanisms, such as SSL. It is worth noting that although we have used web access in the examples above, DNS infrastructure is widely used in many other Internet applications, including email.”

Google said that its Public DNS currently serves more than 130 billion DNS queries on average each day. However, Google said, only 7% of those queries from the client side are DNSSEC-enabled, with approximately 3% requesting validation and 4% requesting DNSSEC data but no validation. About 1% of DNS responses from the name server side are signed, Google said.

“Effective deployment of DNSSEC requires action from both DNS resolvers and authoritative name servers,” Gu said. “Resolvers, especially those of ISPs and other public resolvers, need to start validating DNS responses. Meanwhile, domain owners have to sign their domains.”

According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned.

According to the National Institute of Standards and Technology (NIST), there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013.  

In a recent SecurityWeek column, Ram Mohan explained that while DNSSEC does not solve every Internet-based security issue, it does offer a more advanced level of user security for directory look-ups than is currently in use.

Advertisement. Scroll to continue reading.

“For example, DNSSEC can ensure that a Web browser knows where to find the site you are trying to reach,” Mohan explained. “Browsers can employ this information to help protect users from phishing attacks and from being hijacked. Although browsers don’t use DNSSEC in this way today, they easily could (and probably should.) Although you can still be hijacked and your site could still be the victim of phishing attacks, including DNSSEC in an overall security strategy will help to mitigate the risk to users.”

Mohan also suggested that DNSSEC complements other security technologies and provides a platform for yet-to-be-developed innovations.

In early 2012, Comcast moved to DNSSEC-validating DNS servers for its millions of customers, and signed all of the domains used by the company, such as www.comcast.net, making it first large ISP in the North America to have fully implemented DNSSEC.

“Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Google’s Gu said.

More information on Google’s DNSSEC support can be found in the FAQ and Security pages.

Related Reading: DNSSEC Deployment -The Time is Now 

Related ReadingThe Implementation Challenges for DNSSEC

Related Reading: When DNSSEC Goes Bad: Recovering from DNSSEC Errors

Related Reading: Deploying DNSSEC – Four Ways to Prepare Your Enterprise

Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet