DNSSEC: what is it for and how to see if a website has it

Maintaining safety when browsing is very important and that is why there are different protocols that help avoid problems. One of them is DNSSEC , which we are going to talk about in this article. We are going to explain what it is, why it is important and we will also talk about what we can do to find out if a web domain has configured it. This will help us navigate with greater safety and avoid risks that could compromise our equipment.

How DNS works

First of all we are going to explain what DNS is and how it works. This way we can better understand what DNSSEC is for. They are the abbreviations of Domain Name System , which if we translate it into Spanish we would say Domain Name System.

DNSSEC: what is it for

When we surf the Internet we simply have to put the name of the site in the browser and we enter the page. For example itigic.com to enter this article. But of course, there is actually something else behind that. That is precisely where DNS comes into play.

What DNS does is translate those domain names , such as this article, into the IP address that corresponds to the site. In this way we do not have to remember a large number of numbers without much sense, which would be the IP, but simply the name.

For this they will use a database, which has to be as up-to-date as possible. They basically act like a phone book but to link websites to the corresponding IP addresses.

What is DNSSEC?

So what does DNSSEC mean? How does it relate to what we have explained about DNS servers. We can say that it has a direct link, but that it allows to improve security. Add an extra layer of protection to the DNS servers that a web domain has.

The use of DNSSEC is based on digital signatures that the DNS client will verify and thus verify that this information is correct and corresponds to the authorized DNS servers.

What DNSSEC does is digitally sign those records for DNS lookup. It uses public key cryptography such as RSA and DSA for this. It also uses algorithms like SHA-1, SHA256 and SHA512. All this serves to verify that the data has not been modified and that the corresponding data is being sent and received.

Prevents from security attacks

The use of DNSSEC is important in order to avoid certain security attacks on the network. As we have seen, you can verify that what we are requesting is really the correct thing to do. This prevents, for example, we end up on a website that has been created solely to steal passwords.

This is what is known as a Phishing attack. We access a web page to open the mail, a social network such as Facebook or even enter the bank account, but in reality we are being referred to a site that pretends to be the original and that is designed to steal the access codes and the username.

You need to use DNS that support DNSSEC

Keep in mind that in order to surf the Internet with the DNSSEC protocol, it is essential to use DNS servers that are compatible. We can easily change this and for example we can use Google’s, which are compatible.

To change the DNS servers in Windows we have to go to Start, we go to Settings, we go to Network and Internet, Change adapter options, we right-click on the network card that interests us and we click Properties . Later we mark Internet Protocol version 4 (TCP / IPv4) to, once again, click Properties. A new window will open and you have to click on Use the following DNS server addresses. There we have to fill in with the ones we are going to use.

Cambiar los servidores DNS

How to know if a page uses DNSSEC

But do all web pages have DNSSEC protocol enabled? It is possible to know if a website has it activated or not. This will help us to have a better understanding of the security of the pages we are browsing.

There are several online tools that allow us to know if any website has the DNSSEC protocol implemented. We must indicate that, although it is an interesting security measure, the truth is that there are many pages that nowadays do not include it. This does not mean that this site is dangerous, insecure or that it can be used to steal passwords and data, but it does mean that it does not have that extra layer of security.

To find out if a website uses DNSSEC we can enter DNSSEC-Analyzer . It is a free service that belongs to Verisign. Once inside we will find a home page as we can see in the image.

Verificar DNSSEC

When we write the name of the domain that interests us and we give Enter, a series of information related to that domain will automatically appear. If we see that something appears as we see in the image below, it means that that specific website does not have DNSSEC configured .

Dominio no seguro con DNSSEC

An alternative option we have is DNSViz . Its operation is similar to the previous one we have seen. We have to put up the corresponding web domain and we give it to start. It will automatically show us a series of information to verify if you have DNSSEC configured or not.

We can also find an extension that is available for browsers like Chrome or Firefox. This is DNSSEC-Validator . We can install it in the browser and it will tell us in a simple way if that page we are visiting is compatible with DNSSEC or not.

It will show us this information in a way as simple as an icon in the browser bar. This callsign will allow us to know at all times whether or not that website we are on is compatible. It will appear in green if it is and in red if it is not.

Ultimately, DNSSEC is a protocol that complements DNS to add an extra layer of security. We have explained what it consists of, why it is interesting that the pages have it and how we can know if any website is compatible or not.