Misery is when you head to one of your usual Web site hangouts and find yourself somewhere nasty instead because of Domain Name System (DNS) poisoning. DNS cache poisoning doesn’t happen often, but when it does happen, it can make large parts of the Internet unusable. The answer to this potential poison problem? Domain Name System Security Extensions (DNSSEC).
DNS poisoning works like this. The DNS is the master address list for the Internet. With it, instead of writing out an IPv4 address like “http://209.85.135.99/,” one of Google’s many addresses, you can simply type in “http://www.google.com” and you’ll be you on your way. But, how can your browser be sure that “209.85.135.99? is a correct address for Google? By itself, it can’t. It relies on DNS and, here’s the kicker, with plain Jane DNS, the system doesn’t have any built-in way to make sure that the information it’s feeding your browser is the real deal.
DNSSEC attempts to prevent DNS cache poisoning attacks by requiring Web sites to verify their domain names and corresponding IP addresses with DNS servers. To make sure this information isn’t compromised DNSSEC uses digital signatures and public-key encryption for this information exchange. That, in turn, makes it much harder for a cracker to effectively attack a DNS server since for an attack to work it needs to compromise the DNS information for popular Web sites.