The communication between DNS recursive resolvers and authoritative nameservers is largely unsecured, making it susceptible to on-path and off-path attacks.
Though many security proposals have been put forward, they often face implementation challenges or lack adequate security features.
This persistent vulnerability reveals the need for a new, widely deployable secure scheme that will overcome the flaws of the previous solutions.
As a result, cybersecurity researchers at Carleton University recently unveiled “DNSSEC+,” a secure model that addresses the security and the downsides of DNSSEC.
DNSSEC+ Secure Model
DNS was introduced in the late 1980s for domain name resolution. It has two stages: stub resolver to recursive resolver and recursive resolver to authoritative nameservers.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Although it was efficient and scalable, the original design ignored security and privacy, opening up vulnerabilities exploited in different attacks.
Many secure DNS approaches have been suggested; however, most are directed towards Stage 1 or encounter adoption difficulties.
The solution to Stage 2, except DNSSEC, has low real-world acceptance attributed to poor security and privacy properties or deployability concerns.
.webp)
Here below, we have mentioned the DNSSEC Problems:-
- Reflection Amplification
- Unsigned Records
- Expired Zone
- Zone Enumeration
- Stale Records
DNSSEC+ is a new proposal to address these challenges by strengthening its strong points as well as minimizing its vulnerable areas while incorporating some good things from other Stage 2 schemes as well as improving its performance while still keeping it comparable so that people can practically adopt this.
In order to ensure that records are signed in real-time and avoid duplication of private keys within the nameservers’ chain, DNSSEC+ is used.
It introduces a central key server that authorizes name server instances through short-lived signatures which helps in moving away from “logical centralized, but physically distributed” approach to a “delegated servers” model.
This system maintains a reverse-tree chain of trust similar to DNSSEC, and not only that, it also provides real-time integrity protection for DNS responses.
DNSSEC+ has two modes, namely, privacy-enforcing and no-privacy, one that ensures both query and response confidentiality.
However, these security enhancements do not require additional network round-trips or use separate symmetric keys for query and response encryption.
The design addresses significant security flaws in existing DNS security schemes while still preserving efficiency that could improve practical acceptance.
DNSSEC+ is a Stage 2 secure DNS plan that improves the protection properties while building on the DNSSEC reliance model.
It maintains one-round trip efficiency to deliver identical performance with less secure Stage 2 proposals.
This design avoids long-term key duplicates in zones as it worries about untrusted nameservers. By keeping the current zone file structures and lookup functions, DNSSEC+ remains fully compatible with vanilla DNS.
To attain full DNS resolution security, DNSSEC+ should be combined with a secure stage 1 protocol covering the whole path from the client to the authoritative nameserver.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access