Protecting your domain from DNS spoofing
In the IT Security circles, DNS has been a hot topic for quite a long time. The fundamental problem is that the entire Internet relies on the DNS, the phonebook of the internet. Back in the early 1980’s when DNS was being created, security was not a priority and it has remained an unauthenticated database ever since. Spoofing a DNS entry is still technically difficult but, as Dan Kaminsky showed us in 2008, not impossible at all.
The good news is that DNSSEC was invented some time ago to address the weaknesses of the original DNS definition. The bad news is that DNSSEC has never been quite widely implemented at all. One of the reasons is the complexity, and the benefits against a quite rare internet attack are not that evident (until an attack happens).
Three days ago the good fellows of CloudFlare included DNSSEC into their services. This means that, in a matter of 10 minutes, is possible to configure a secure DNS entry with ease. It worked so well for us that we were wondering how could we previously spend hours in such a task. Of course, to take advantage of that, you would need to use CloudFlare (which in its basic plan is free anyway). If you need instructions how to configure DNSSEC yourself, this guide is quite handy.
We’re satisfied that metaluxo-50f069.ingress-comporellon.ewp.live has been configured to take advantage of DNSSEC this way. If you wonder if your domain is already configured for DNSSEC or not, you can easily check in DNSviz.net