DNSSEC setup on DNS Server Google Cloud DNS. This guide helps you to setup DNSSEC to secure your domain name from DNS cache poisoning.
What is DNSSEC?
Domain name system security extensions (DNSSEC) is a set of protocol that adds a layer of security to the domain name system (DNS) lookup and exchange processes. This was introduced in 2005 to improve DNS security.
How Does it Work?
DNSSEC signs all the data sent on DNS records so that the resolvers can verify it’s authenticity. This makes sure that you are connecting to the DNS records that belong to the real domain name you are trying to reach, instead of a hacked one. This will prevent the attackers from manipulating or poisoning the responses to DNS requests.
How to Setup DNSSEC
Make sure have you have created a DNS zone for your domain in Google Cloud DNS.
You can also enable DNSSEC while creating a DNS zone. Just select the DNSSEC to
On and click save.
If you already have your DNS zone setup you can easily select the DNSSEC option to On and shown in the image.
Once you have selected On Google Cloud DNS will create DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate your zone’s contents and manages them automatically.
Now click on your Zone name and click the Registrar Setup at the top right to view the DNSSEC resource records to update in your domain.
- Key tag: Numeric value that refers to an existing DNSKEY record.
- Algorithm: Encryption algorithm that created the security key in the DNSKEY record.
- Digest type: Algorithm used to create the digest of DNSKEY record.
Hashedvalue of the DNSKEY record that uniquely identifies it without exposing the value of the key.
Configure DS records with the registrar
Now update the above mentioned values at your registrar to secure a domain name.
- Sign in to Google Domains.
- Select the name of your domain.
- In the left navigation panel, click DNS.
- Scroll to DNSSEC.
- Create an entry using the values from previous steps.
Now DNSSEC is activated for your domain and it’s secured from DNS cache poisoning.
You can validate your DNSSEC using these websites (http://dnsviz.net/, https://dnssec-analyzer.verisignlabs.com/
Check and confirm your DNSSEC validation and have a secured DNS server.