DNS, the so called "phonebook of the internet" allows us to access information services online, through domain names instead of IP addresses. Today, the DNS server has become an integral part of securing your services online. Many malicous attacks involve DNS and such it is very important to propely secure your domain online, not only for the security for the company or owner of the website, but also for the user.
An authorative DNS server holds DNS records for your domain. When clients search your domain, they will end up asking your authorative server where the service is found. The authorative DNS server also holds a lot of records for security protocols and instructs your clients what security features are active, or not.
DNSSEC was made to validate the published DNS records on the authorative DNS server, so that recursive DNS server know, that the records are valid and actually origin from the right authorativie DNS server. This helps with so called man-in-the-middle and DNS cache poisoning attacks where the attack is spoofing the DNS request to a rogue DNS server. DNSSEC provides origin authority, data integrity, and authenticated denial of existence.
DANE (DNS-based Authentication of Named Entities) is a security protocol that is binding an issued digital certificate to a TLS connection. The purpose of DANE is to ensure that no certificate authority (especially the current issuer) is able to issue a new certificate for your domain. In case a certficate authority gets compromised, the attacker would not be able to create a new certificate. While DANE is relatively new, there is support for HTTP and SMTP and also works with self signed certificates. DNSSEC is required for DANE's security model to work.
CAA is a DNS record which defines which official certificate authority is allowed to issue a certificate for your domains. Normally, without such a DNS record, any official certificate authority could technically issue a certificate for your domain without you making a request. Enabling CAA, ensures that only a manually defined list of official authorities are allowed to issue a certificate for your domains.
A recursive DNS server is used by clients to resolve domain names by asking the corresponding authorative DNS server. It makes sense for business and private persons to run an own recursive DNS server because every internet activity can be tracked by DNS requests. Also a privately run recursive DNS can speed up request because of low latency and caching common requests.
Available security reports for our infrastructure can be found here:
If you are interested in working with us together, send us an email to:
contact@webtrend.ch
We love to hear about your project.