DNSSEC (Domain Name System Security Extensions) is a set of security extensions to the DNS protocol that adds cryptographic signatures and authentication to ensure the integrity and authenticity of DNS data.
It protects against common threats like DNS spoofing and cache poisoning by allowing DNS resolvers to verify that the responses they receive are from legitimate sources and have not been tampered with.
DNSSEC uses public-key cryptography, where each DNS zone is signed with a private key, and the corresponding public key is distributed via DNS records (e.g., DNSKEY, DS).
¶ This feature allows to:
- Prevents DNS spoofing and cache poisoning by verifying the authenticity of DNS responses.
- Protects against man-in-the-middle attacks that could redirect users to malicious sites.
- Ensures that DNS data has not been altered during transmission.
- Provides a chain of trust from the root zone down to individual domain names, allowing resolvers to validate the entire path.
¶
¶ Activate the DNSSEC feature
- On the left menu, go to
DNS > DNS Cache service - Click on the disabled DNSSEC link
- Turn on the Domain Name System Security Extensions (DNSSEC) checkbox
- At this point, the DNS Service will perform full DNSSEC validation on all queries it answers.
If you query a domain with a broken signature, you should receiveSERVFAIL
¶ Whitelisting domains.
- You can tell the validator to ignore DNSSEC failures for a given zone by marking it “insecure.” for which DNSSEC failures are simply ignored.
- On the left menu, go to
DNS > DNS Cache Service > Forward zone - Click on the button Whitelist DNSSEC and add the domain you want to exclude from the DNSSEC verification
Your domain will be stamped as Insecure in the list and the forward will be “automatic” means use the default DNS servers
