How is DNSSEC different from encryption?

This is a question we often hear. “Isn’t DNSSEC the same as encrypted DNS?”

no way. DNSSEC protects your network from man-in-the-middle attacks, but it does so through public key cryptography, which is different from encryption. In other words, DNSSEC provides a form of authentication but not a form of confidentiality.

How is public key cryptography different from encryption?

DNSSEC uses public key cryptography to digitally “sign” or authenticate DNS queries. When DNSSEC is enabled on a zone record, a receiving device can compare the information it receives with the original information sent by the authoritative server. This is made possible through digital signatures, which use public keys to authenticate data.

In DNSSEC, authentication keys are protected through encryption, but the data itself is not protected. It is still possible to intercept and read DNSSEC-protected traffic. If the data is manipulated somewhere along the data path and sent to its destination, the receiving server will know something is wrong because the public keys do not match.

Encryption, on the other hand, uses encryption to encode the data itself. Encryption ensures confidentiality by changing what an attacker can see if they intercept a query somewhere in the data path. If an attacker cannot decrypt the signal using the encryption key, the data becomes unintelligible. Because those keys are not shared publicly, encryption prevents data tampering.

Why doesn’t DNSSEC use encryption?

DNS is one of the Internet’s older protocols. When the Internet was created, it was a much smaller place where almost everyone knew each other. Security was an afterthought.

When Internet security became an issue, DNS was so widely used that any significant change would cause the entire system to crash. Rather than developing a fully encrypted protocol to replace DNS, we decided to add an authentication mechanism to the existing system.

DNSSEC was a compromise. Authentication of queries and data becomes possible and the security of the protocol is strengthened. But because they did so without changing the underlying systems, the Internet could continue to grow without having to re-engineer anything. DNSSEC deployment is optional, so organizations can switch when they want.

Why use DNSSEC if it’s not encrypted?

DNS cache poisoning (also known as DNS spoofing) is a big reason to deploy DNSSEC. A DNS spoofing attack replaces legitimate responses to DNS queries with unauthorized responses. Those answers are then stuck in the cache, continuing to return incorrect answers and direct users to malicious sites until their “lifetime” expires.

DNSSEC protects against these kinds of attacks by authenticating DNS responses to ensure that only the correct answers are returned. Encryption can protect the underlying data of your DNS connection, but it does not protect against DNS spoofing attacks.

Do people use DNSSEC if it’s not encrypted?

Unfortunately, only about 20% of Internet traffic is verified via DNSSEC. This is a significant increase from just a few years ago, but still far from original levels. Usability issues, lack of information, and sheer laziness combine to create this critical gap.

NS1 strongly recommends DNSSEC deployment to all of our customers and encourages its use through a simple deployment process. Unlike other providers, NS1 supports DNSSEC as a secondary provider or redundant DNS option through its dedicated DNS product.

Learn more about IBM NS1 Connect support for DNSSEC