Google Inc. has taken steps to prevent Internet users from being redirected to bogus sites.
In an announcement yesterday, the search engine company said it now fully supports Domain Name System Security Extension (DNSSEC) validation on its Google Public DNS (domain name system) resolvers.
Public DNS, Google’s own DNS lookup service which has been running since 2009, translates “human readable” domain names such as www.itworldcanada.com in an Internet Protocol address that can be recognized by a browser and accessed by computers.
However, Google said, current DNS protection systems have now lagged behind attack strategies and hacker tools. A large number of Internet attacks today target the name resolution process by attempting to provide the IP addresses of malicious Web sites to DNS queries.
“Probably the most common DNS attack is DNS cache poisoning which tries to pollute the cache of DNS resolvers (such as Google Public DNS or those provided by most ISPs) by injecting spoofed responses to up-stream queries,” according to a blog post from Yuhong Gu, team lead for Google Public DNS.
The counter these attacks, he said, resolvers need to be able to verify the authenticity of the response.
“DNSSEC solves the problem by authenticating DNS responses using digital and public key cryptography,” according to Yuhong.
He said previously Google accepted and forwarded DNSSEC formatted messages but did not do any validation. With the new security feature, Google is now identifying and rejecting invalid responses from DNSSEC-protected domains.
He said each DNS zone has a set of private/public key pairs and each DNS record has a unique digital signature generated and encrypted using the private key. The public key is further authenticated by a series of keys.
“DNSSEC effectively prevents response tampering because in practices signature keys are almost impossible to forge without access to private keys,” he said. “Also resolvers will reject responses without correct signatures.”
The Google Public DNS team lead said DNSSE is still at an early stage and it needs support.
Effective deployment of DNSSEC requires resolvers, especially those of Internet Service Providers and other public resolvers to start validating DNS responses. Domain owners also need to sign their domains. Google said only one third of top level domains have been signed and most of second-level domains are unsigned.