DNSSEC Configurations
DNS service is in charge of converting the name to an IP address, but it lacks internal security measures. In other words, since DNS does not include authentication features for received records, it cannot guarantee that your website’s visitors will be directed to your website and not another harmful one.
The provided solution for this lack of security is the DNSSEC protocol that authenticates DNS records through Public Key Infrastructure (PKI). Please note that this is not an encrypting feature for DNS data.
Arvancloud, being an authoritative DNS server, can provide you with a DNS record so that you can activate DNSSEC for your domain. Therefore, you can secure your domain against DNS attacks.
How Does DNSSEC Work?
The DNS service has no internal mechanism to protect its transferrable data. DNSSEC allows DNS records to be received by the resolver and verified to determine the absence of an illegitimate DNS server.
The process of resolve after DNSSEC activation is as follows:
1- The user enters www.example.com in their browser. The browser, first, checks Cache to find the related IP. If the IP is not found in the cache, a request is sent to the DNS server according to which it is configured (Recursive Resolver).
2- The Recursive Resolver, which can be the DNS server the ISP has provided for you, first searches its Cache for the IP address. If no results are found, a request is sent to the Root server.
3- The root server responds to this request by sending the IP address related to the domain's TLD and the DS record to the recursive resolver.
4- After receiving the IP address, the recursive resolver requests the domain's IP address to the TLD.
5- TLD sends the associated IP addresses of Arvancloud DNS servers containing the domain's records and the DS record for the recursive resolver.
6- The recursive resolver sends a request to access the domain's records of the Arvancloud DNS server.
7- Arvancloud DNS server sends RRSIG and DNSKEY records.
8- Now, the recursive resolver has accessed all the required records and has already verified the servers. Then, the IP address for www.example.com is sent to the browser to access the secured content.
DNSSEC Activation for Arvancloud Users
Before the activation, make sure that your domain registrar and TLD provider support DNSSEC. Go to the DNS Records in the CDN section of your user panel and turn on DNSSEC.
After activation, your DS record opens in a window in text format.
The data includes:
- Key tag
- Algorithm
- Digest Type
- Digest
To enable DNSSEC through API, you can use this sample:
curl --location --request PUT 'https://napi.arvancloud.ir/cdn/4.0/domains/example.com/dns-records/dnssec/actions' \
--header 'authority: napi.arvancloud.ir' \
--header 'accept: application/json, text/plain, */*' \
--header 'authorization: API KEY' \
--header 'content-type: application/json' \
--data '{"enable":true}'
Also, for disabling it, you need to change the enable
value to false
.
In the final step, go to your domain’s user panel, enter the data as requested and save the changes.