What is DNSSEC?

DNSSEC is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It prevents attackers from manipulating or poisoning the responses to DNS requests. DNS technology was not designed with security in mind. One example of an attack on DNS infrastructure is DNS spoofing. In which case an attacker hijacks a DNS resolver’s cache, causing users who visit a website to receive an incorrect IP address and view the attacker’s malicious site instead of the one they intended.

Pricing

DNSSEC management services are part of our DNS hosting plans - Premium DNS, DDoS Protected DNS, and GeoDNS. No extra costs for better security!

Premium S
$2.95/month
Premium M
$4.95/month
Premium L
$14.95/month
? Managed Anycast DNS with DNSSEC:
? DNS zones: 5 50 400
? DNS Records: 200 2,000 20,000
? DNS queries per month: i 5M i 200M Unlimited
? Mail forwards: 10 100 1,000
? DNS Failover checks: 1 2 3
Completely free trial. No credit cards required. No tricks.
Start Free 30-day Trial
Start Free 30-day Trial
Buy Now
Premium S
$2.95/month
  • +4 Anycast DNS servers
  • 5 DNS zones
  • 200 DNS Records
  • 5M DNS queries per month
  • 1 DNS Failover check
  • 10 Mail forwards
  • DNSSEC
  • Extended Features
Completely free trial. No credit cards required. No tricks.
DDoS Protected S
$5.95/month
  • +4 Anycast DNS servers
  • DDoS protection for DNS
  • 5 DNS zones
  • 200 DNS Records
  • 5M DNS queries per month
  • 1 DNS Failover check
  • 10 Mail forwards
  • DNSSEC
  • Extended Features
Completely free trial. No credit cards required. No tricks.
GeoDNS Start
$9.95/month
  • 4 Anycast DNS servers
  • DDoS protection for DNS
  • DNS direction by geolocation
  • 1 DNS zones
  • 1,000 DNS Records
  • 100M DNS queries per month
  • 1 DNS Failover check
  • 3 Mail forwards
  • DNSSEC
  • Extended Features
Completely free trial. No credit cards required. No tricks.
30 day Free Trial
No credit cards required
24/7 Live chat support

How does DNSSEC work?

When you activate DNSSEC, we'll generate a public-private key pair for your zone. The public key, provided as DS or DNSKEY records, should be configured with your domain provider. Our network will use the private key to sign your records during zone deployment. The end-user resolver checks these signatures against the public keys to authenticate record integrity during transfer.

DNSSEC aims to enhance user safety by verifying digital signatures after a user enters a domain name. Information can only reach the user's device when digital signatures match between the data and the Primary DNS server, ensuring connection to a legitimate website. It utilizes digital signatures and public keys to validate information, adding new records to existing DNS entries like A, CNAME, and MX. DNSKEY and RRSIG digitally sign DNS data using public-key cryptography. Each DNS zone's name server holds public and private keys. When a user queries, the server provides information signed with its private key, which the recipient opens with the public key. If information is modified, it won't open correctly, triggering an error message.

Benefits & Features

Easy Setup

Just click the activation button in the control panel, and our system will secure the zone. You will be required only to add the DS records at the provider, and the setup will be completed.

Security

We are using the Elliptical Curve Algorithm (ECDSA P-256) for all signatures, which is stronger and smaller than the standard RSA keys.

Performance

Keeping DNS answers as small as possible means faster speed for you! Additionally, our Anycast DNS Network provides more rapid responses from the closest location to the resolver.

24/7 Support

No matter what day, no matter when, we provide continuous, uninterrupted network monitoring and support. Our Technical Support team is online for you 24/7 by live chat and tickets. We can migrate your zones for free, read more here.

How to configure DNSSEC in ClouDNS?

To activate DNSSEC signing and obtain the domain DS records and DNSKEY records, you need to process the following steps:

  1. Log into your ClouDNS control panel.
  2. Navigate to the zone you wish to configure.
  3. Locate the "DNSSEC" menu at the top of the zone's control panel and click on it.
  4. From here, choose to either activate or deactivate DNSSEC zone signing.

Optional: For additional details and guidance about DNSSEC implementation, refer to the ClouDNS DNSSEC wiki page.

Why should I care about DNSSEC?

When you want to connect to a particular website, your browser should get the corresponding IP address. Unfortunately, there is a chance an attacker to intercept your DNS queries and place fake information. As a result, your browser will connect to a forged website where you could potentially enter personal information, like bank details.

Thanks to DNSSEC, there is an additional level of security, and your browser is able to check if the DNS data is actually correct and not changed. In addition, DNSSEC is used not only for the web but also by any other Internet service or protocol, for instance, SMTP and Voice-over- IP (VoIP).

With DNSSEC, you can protect your domain from vulnerabilities like:

DNSSEC-Enabled vs Non-DNSSEC Domains

Domains with enabled DNSSEC offer cryptographic security, ensuring authentic DNS data and protecting users from attacks and traffic interception. They safeguard brands from DNS hijacking and reputation damage. In contrast, domains without DNSSEC lack this protection, making them more vulnerable to attacks and putting both users and brands at risk.

Feature DNSSEC-Enabled Domains Non-DNSSEC Domains
Security Cryptographically secured Vulnerable to DNS attacks
Trust Verified, authentic DNS data Unverified, prone to spoofing
User Safety Guaranteed traffic integrity Risk of traffic interception
Brand Protection Shielded from DNS hijacking Open to reputation damage

What is DNSSEC validation?

DNSSEC validation is a simple process that includes the following steps:

For more insights, read our full blog post about DNSSEC.

Who can take advantage of DNSSEC?

DNSSEC can benefit anyone with an online presence, from large companies to individual website owners. It helps protect against cyber threats like DNS spoofing and cache poisoning, making it essential for businesses that rely on secure communication, such as e-commerce sites, financial institutions, government agencies, and healthcare providers. Even small businesses and personal websites can use DNSSEC to protect their data and reputation. By securing domain information, DNSSEC ensures users can trust the integrity and authenticity of a site, providing safer, more reliable online experiences for everyone.

Frequently Asked Questions

FAQ

  • How to start using DNSSEC? - To get started, select a plan that best suits your needs and click on the orange button below the chosen plan.
  • What does DNSSEC protect against? - DNSSEC protects against forged DNS data, like that from DNS cache poisoning. It ensures resolvers receive authentic responses, mitigating the risk of accepting incorrect data. By verifying DNS responses, it prevents potential impacts on individual users or entire networks caused by malicious responses.
  • What types of DNS records does DNSSEC use? - DNSSEC uses DNSKEY, RRSIG, NSEC, and DS records. DNSKEY stores public keys, RRSIG contains digital signatures, NSEC provides denial of existence proof, and DS establishes trust chains.
  • Still have questions about DNSSEC? - You can contact us via our 24/7 Live chat support or if you prefer, you can send a message on support@cloudns.net.

DNSSEC is available in all of our Premium DNS, DDoS Protected DNS and GeoDNS plans!

GET OFFER

What our clients say

Trusted by:

Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more