{"id":371998,"date":"2021-11-24T21:00:00","date_gmt":"2021-11-24T18:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-is-dnssec-and-should-you-turn-it-on-for-your-website-cloudsavvy-it\/"},"modified":"2021-11-24T21:00:00","modified_gmt":"2021-11-24T18:00:00","slug":"what-is-dnssec-and-should-you-turn-it-on-for-your-website-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-is-dnssec-and-should-you-turn-it-on-for-your-website-cloudsavvy-it\/","title":{"rendered":"#What Is DNSSEC, and Should You Turn It On for Your Website? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3a743f05f9f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3a743f05f9f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-dnssec-and-should-you-turn-it-on-for-your-website-cloudsavvy-it\/#DNS_by_Itself_Is_Not_Secure\" >DNS by Itself Is Not Secure<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-is-dnssec-and-should-you-turn-it-on-for-your-website-cloudsavvy-it\/#How_to_Enable_DNSSEC\" >How to Enable DNSSEC<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Is DNSSEC, and Should You Turn It On for Your Website? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage  wp-image-5716 size-full\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/03\/05cb47de.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/03\/05cb47de.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/03\/05cb47de.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"unlocked networks\" width=\"700\" height=\"300\" data-credittext=\"NicoElNino\/Shutterstock.com\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/global-cyber-attack-around-world-planet-1391331053\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/global-cyber-attack-around-world-planet-1391331053\">NicoElNino\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>DNS was designed over 30 years ago, back when security wasn\u2019t a primary focus of the internet. Without extra protection, it\u2019s possible for MITM attackers to spoof records and lead users to phishing sites. DNSSEC puts a stop to that, and it\u2019s easy to turn on.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"DNS_by_Itself_Is_Not_Secure\"><\/span>DNS by Itself Is Not Secure<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The DNS system includes no built-in methods to verify that the response to the request was not forged, or that any other part of the process wasn\u2019t interrupted by an attacker. This is an issue because whenever a user wants to connect to your website, they have to make a DNS lookup to translate your domain name into a usable IP address. If the user is connecting from an insecure place, like a coffee shop, it\u2019s possible for malicious attackers to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/DNS_spoofing\">sit in the middle and spoof DNS records<\/a>. This attack could allow them to redirect users to a malicious page by modifying the IP address A record.<\/p>\n<p>Luckily, there\u2019s a solution\u2014DNSSEC, also known as\u00a0DNS Security Extensions, fixes these issues. It secures DNS lookups by signing your DNS records using public keys. With DNSSEC enabled, if the user gets back a malicious response, their browser can detect that. The attackers do not have the private key used to sign the legitimate records, and can no longer pass off a forgery.<\/p>\n<p>DNSSEC\u2019s signing of keys goes all the way up the chain. When you connect to <code>example.com<\/code>, your browser first connects to the DNS root zone, managed by IANA, then to the directory for the extension (<code>.com<\/code>, for example), then to the nameservers for your domain. When you connect to the DNS root zone, your browser will check the root zone signing key managed by IANA to verify that it is correct, then the <code>.com<\/code>\u00a0directory signing key (signed by the root zone), then the signing key for your site, which is signed by the <code>.com<\/code>\u00a0directory and cannot be forged.<\/p>\n<p>It\u2019s worth noting that in the near future, this won\u2019t be as much of a problem. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/448629\/how-dns-over-https-doh-will-boost-privacy-online\/\">DNS is being moved over to HTTPS<\/a>, which will secure it against all kinds of MITM attacks, make DNSSEC unnecessary, and also prevent ISPs from spying on your browsing history\u2014which explains why <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arstechnica.com\/tech-policy\/2019\/10\/comcast-fights-googles-encrypted-dns-plan-but-promises-not-to-spy-on-users\/\">Comcast is lobbying against it<\/a>. As it stands though, it\u2019s an optional feature in Chrome and Firefox (<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arstechnica.com\/information-technology\/2019\/11\/microsoft-announces-plans-to-support-encrypted-dns-requests-eventually\/\">with operating system support coming in Windows soon<\/a>), so you\u2019ll still want to enable DNSSEC in the meantime.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_to_Enable_DNSSEC\"><\/span>How to Enable DNSSEC<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you\u2019re running a website, especially one that handles user data, you\u2019ll want to turn on DNSSEC to prevent any DNS attack vectors. There\u2019s no downside to it, unless your DNS provider only offers it as a \u201cpremium\u201d feature, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/redirect.viglink.com\/?key=204a528a336ede4177fff0d84a044482&amp;u=https%3A%2F%2Fwww.godaddy.com%2Fhelp%2Fenable-dnssec-in-my-premium-dns-account-6420\">like GoDaddy does<\/a>. In which case, we recommend moving to a proper DNS provider, like Google DNS, who won\u2019t nickel-and-dime you for basic security. You can read our guide to using it here, or read more about\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/domains.google.com\/m\/registrar\/transfer\">transferring your domain<\/a>.<\/p>\n<p>If you\u2019re using Google Domains, setup is literally just one button, found in the domain console under \u201cDNS\u201d in the sidebar. Check \u201cEnable DNSSEC.\u201d This will take a few hours to complete and sign all the required keys.\u00a0Google Domains also fully supports DNS over HTTPS, so users who have that enabled will be entirely secure.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3921\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/02\/1c7d72bd.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"check DNSSEC\" width=\"700\" height=\"163\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>For Namecheap, this option is also just a toggle under \u201cAdvanced DNS\u201d in the domain settings, and is entirely free:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" alignnone wp-image-4184 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/03\/7a5739f5.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Toggle DNSSEC\" width=\"640\" height=\"223\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If you\u2019re using AWS Route 53, it, unfortunately, does not support DNSSEC. This is a necessary downside to the elastic DNS features that make it great in the first place: features like Alias records, DNS level load balancing, health checks, and latency-based routing. Because Route 53 can\u2019t reasonably sign these records every single time they change, DNSSEC is not possible. However, if you\u2019re using your own nameservers or a different DNS provider, it\u2019s still possible to enable DNSSEC for domains\u00a0<em>registered<\/em> using Route 53\u2014just not domains using Route 53 as their DNS service.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/4176\/what-is-dnssec-and-should-you-turn-it-on-for-your-website\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Is DNSSEC, and Should You Turn It On for Your Website? \u2013 CloudSavvy IT&#8221; NicoElNino\/Shutterstock.com DNS was designed over 30 years ago, back when security wasn\u2019t a primary focus of the internet. Without extra protection, it\u2019s possible for MITM attackers to spoof records and lead users to phishing sites. DNSSEC puts a stop to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":371999,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/03\/05cb47de.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-371998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/371998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=371998"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/371998\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/371999"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=371998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=371998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=371998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}