DNSSEC with Route 53: Protecting the core of the Internet

Posted on by admin
DNSSEC with Route 53: Protecting the core of the Internet
06
Aug

The Internet relies on DNS. This makes it all the more important to do everything possible to protect the global DNS infrastructure from attacks. Andreas explains how DNSSEC protects from DNS spoofing. During the demo you will learn how to enable DNSSEC for your domains by using Route 53.

[wpcc-element _tag=”source” type=”image/webp” srcset=”/images/2021/03/logbook@730w.webp 730w, /images/2021/03/logbook@730w2x.webp 1460w, /images/2021/03/logbook@610w.webp 610w, /images/2021/03/logbook@610w2x.webp 1220w, /images/2021/03/logbook@450w.webp 450w, /images/2021/03/logbook@450w2x.webp 900w, /images/2021/03/logbook@330w.webp 330w, /images/2021/03/logbook@330w2x.webp 660w, /images/2021/03/logbook@545w.webp 545w, /images/2021/03/logbook@545w2x.webp 1090w” sizes=”(min-width: 1200px) 730px, (min-width: 992px) 610px, (min-width: 768px) 450px, (min-width: 576px) 330px, 545px” _close=”0″]

What you will learn by watching the video and following the demo?

  • Protect from DNS spoofing!
  • What is DNSSEC?
  • How to enable DNSSEC with Route 53?
  • Pros and Cons of DNSSEC

Enjoy the video!

[wpcc-iframe class=”embed-responsive-item lozad” data-src=”https://www.youtube-nocookie.com/embed/lT7P6hwTbik” allow=”accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture” allowfullscreen=””]

Why is DNSSEC important? Because, DNSSEC protects from the following attach, called DNS spoofing.

  1. Attacker injects DNS records into DNS server/resolver.
  2. User resolves domain name, DNS server responds with “wrong” IP address.
  3. User sends requests to “wrong” server.
  4. Attacker steals password, reads sensitive information, …

[wpcc-element _tag=”source” type=”image/webp” srcset=”/images/2021/03/dns-spoofing@730w.webp 730w, /images/2021/03/dns-spoofing@730w2x.webp 1460w, /images/2021/03/dns-spoofing@610w.webp 610w, /images/2021/03/dns-spoofing@610w2x.webp 1220w, /images/2021/03/dns-spoofing@450w.webp 450w, /images/2021/03/dns-spoofing@450w2x.webp 900w, /images/2021/03/dns-spoofing@330w.webp 330w, /images/2021/03/dns-spoofing@330w2x.webp 660w, /images/2021/03/dns-spoofing@545w.webp 545w, /images/2021/03/dns-spoofing@545w2x.webp 1090w” sizes=”(min-width: 1200px) 730px, (min-width: 992px) 610px, (min-width: 768px) 450px, (min-width: 576px) 330px, 545px” _close=”0″]

The CloudFormation templates used in the video are available at https://github.com/widdix/aws-cf-templates

I’ve used the following commands to deploy DNSSEC to us-east-1. Make sure to modify the stack names and parameters before using the commands.

aws cloudformation deploy --stack-name cloudonautio-key --template-file security/kms-key.yaml --parameter-overrides Service=dnssec-route53 KeySpec=ECC_NIST_P256 KeyUsage=SIGN_VERIFY
aws cloudformation deploy --stack-name cloudonautio-hz --template-file vpc/zone-legacy.yaml --parameter-overrides HostedZoneName=cloudonaut.io HostedZoneId=Z18W2IF733UZVC
aws cloudformation deploy --stack-name cloudonautio-dnssec --template-file vpc/zone-dnssec.yaml --parameter-overrides ParentZoneStack=cloudonautio-hz ParentKmsKeyStack=cloudonautio-key ParentAlertStack=operations-alert

When it comes to DNS, I’m using the book DNS and BIND to learn about the technical details.

A few links discussing DNSSEC:

Read more:

Articles on the same topic:

admin