Enhanced DNS security in ISPmanager

Starting from the version 5.155.0 ISPmanager and DNSmanager support DNSSEC technology. It prevents fishing and forging DNS requests, so it is a must-have feature for all the websites potentially attractive for abusers.

The domain name system (DNS) was originally invented in the 1980s. Thank to it we can visit websites by typing alphabetic letters in the browser line instead of IP-addresses. In the 1990s, a serious vulnerability was discovered in the DNS. It allows abusers to send some part of a website’s visitors to its copy or to another site. Usually, only a few users may discover such substitution trick, because a browser displays correct address.

In 2005, a new technology was developed to eliminate the vulnerability of domain name system. It was called — "DNS Security Extensions" (DNSSEC).

DNSSEC is required for all sites that could be compromised by malicious users. For example, websites of financial organizations and large online stores collecting personal and financial information from their users.

When fraudsters direct users to a fake website, they can steal user data to use it for criminal purposes. Popular media resources and blogs are also among the desired targets. These websites are attractive because of their large audience which can be intercepted for making an illegal profit.

Vulnerabilities of the DNS are explained by the nature of the system itself. DNS servers exchange the information about the location of a particular site between themselves and often cache data to speed up the exchange. It means that they store the information about the location in their memory to avoid making additional requests to other servers and work faster.

Because of the vulnerability in a DNS configuration, an attacker can “poison” the cache of a DNS server by sending a wrong information about the site location. The DNS server will save this data and all users passing through it will be directed to a fake website. This type of attack is called “cache poisoning” or “Kaminsky attack” named after of the security researcher who discovered it.

The infection usually affects just a single DNS-server and although it limits the audience under attack, there still may be thousands of victims.

If the DNSSEC is used, DNS servers check each other’s responses. Incorrect responses will cause an error.

DNSSEC uses cryptography for signing resource records (an information about the link between the IP-address and domain name; alias, etc.). It means that the resource records are complemented with a digital signature generated according to the ICANN-defined algorithms.

The digital signature has a printout, stored in the top-level zone records. Thanks to this printout and the public key the DNS server can check the validity of the records in the zone. If this check is not passed, the server sends the response with an error and doesn’t direct visitors to the suspicious website. Visit ICANN's website for more information about DNSSEC.

Capabilities
DNSSEC technology doesn’t protect a data from intercepting and DDoS attacks. However, ISPmanager has some other tools for preventing these problems: Let's encrypt for installing SSL, and Cloudflare and DDoS-GUARD for DDoS protection.

Zones
The main principle of the DNSSEC is based on the chain of trust. Therefore, higher-level domain zones must be authorized. Some zones like .com. have been authorized already and so DNSSEC is available for these zones. However, there are some unusual zone types like .indi aren’t authorized yet, so the DNSSEC cannot be used with them.

DNS-server types
The technology is supported with the following DNS-servers: Bind 9.8.4 and newer, PowerDNS 3.2 (for Debian 7 standard repository — PowerDNS 3.1) and newer. For PowerDNS before the version 4, signing a domain with DNSSEC may cause CAA records to be unavailable.

To get started, you need to enable DNS security extensions support. Only the panel’s administrator can access to do this.

1. Go to the “Domains” — “Domain names” choose the domain you need and open its settings. Enable “DNSSEC support” option. You can find the same option in the “Global settings” of DNSmanager.

2. Specify the parameters for DNSSEC keys: length, generation algorithm, update period. DNSSEC uses two types of keys: zone signing key (ZSK) and the key signing key (KSK). We recommend you to choose the longer key length and update period for KSK rather than ZSK.

3. Go back to the “Domains” — “Domain names”, choose the domain and press Edit. Enable “Sign the domain” option, it is available for all users of the panel.

4. After signing the domain, transfer the DS-records to the parent zone. The information about the main parameters of the keys and their DNSKEY and DS records is displayed on the "DNSSEC Settings" page (go to “Domains” — “Domain names”, - select the domain and press "DNSSEC" button). Don’t forget to publish the records in the parent zone, enable notification in “Settings” — “Email notifications.”