One of the many great reasons to use Cloudflare is its easy-breezy, user-friendly support for DNSSEC, even on the free tier.
The Domain Name System (DNS) is the master contact list of the interwebs, translating human-friendly URLs like wppov.com to machine-understandable IP addresses like 104.24.96.239.
DNS is a fundamental component of the Internet, but it has a weakness. It is insecure, subject to being hijacked, spoofed, or poisoned. Bad guys, gals, and bots can use fake DNS responses to trick users into visiting the wrong website, downloading malicious software, and other dastardly stuff. Security experts’ dire warnings about DNS attacks are plentiful on the interwebs, starting a couple of decades back and continuing today.
Fortunately, there is a solution. DNS Security Extensions (DNSSEC) – sometimes shortened to just DS – foils DNS attacks by digitally signing DNS data to ensure its validity.
DNSSEC is so super-duper important its deployment must be nearly universal, right? Actually, no – pretty much the opposite is true. DNSSEC is currently implemented on less than 1% of websites.
Wait – Less than one percent? Seriously? Yep.
How can that be? Well, DNS hijacking/spoofing/poisoning are sophisticated attacks, not common in the wild – at least for now. Exactly how uncommon they are is kinda hard to say. I am able to find a few apocryphal reports of attacks in the wild, but no comprehensive statistics. I do find a running joke, with some likely basis in fact, that taking precautions against DNS attacks is like a corporation spending time, effort, and money to protect their Omaha headquarters against shark attacks. Not that shark attacks aren’t bad, just really uncommon, especially in Omaha.
Also most registrars provide poor, if any, support for DNSSEC. Those that do support it often treat it as a “premium” (i.e. expensive) add-on service.
And even when it is possible, correctly setting up DNSSEC can be tricky – it is a complex protocol. NameSilo offers this warning/disclaimer:
Please make sure only to manage DS records for your domain if you are comfortable with DNSSEC. We do not provide support for the configuration of third-party name servers and your domain will stop resolving correctly if your name servers are not configured correctly when associating DNSSEC resource records.
My site could be unreachable if I bugger the DNSSEC configuration. Another running joke is that far more websites have been taken offline by mis-configured DNSSEC than from actual DNS attacks.
Jokes aside, DNSSEC makes sense to me as a safeguard against the possibility of future zero-day DNS attacks, which are impossible to predict. One may never happen or one may happen tomorrow and be really catastrophic.
Cloudflare makes DNSSEC setup free and relatively easy, or even super-simple, depending. So I see no downside in using DNSSEC provided I’m already using Cloudflare.
If I’m using Cloudflare as my registrar (Cloudflare as a registrar is awesome, by the way), DNSSEC is super-simple. I just select “Enable DNSSEC” on the DNS tab in Cloudflare. That’s it. Done.
If I’m using NameSilo (NameSilo is also awesome, by the way), DNSSEC setup is free but a bit more complex, requiring changes on both Cloudflare and NameSilo, but Cloudflare provides step-by-step instructions.
What about other registrars? Cloudflare provides step-by-step instructions for several other major registrars, but I have not personally tried them. So, your experience may vary. Seriously, though, switch to NameSilo or Cloudflare as your registrar, both are awesome.
Once I get DNSSEC set up, I can verify that it is working properly using an online service like dnssec-analyzer.verisignlabs.com.
If DNS attacks suddenly become prevalent, I’m protected.
