The Role of DNSSEC (Domain Name System Security Extensions) in IoT

When businesses build their IoT systems, they often focus primarily on the functionality of their products, making it the highest priority. However, given the specific nature of IoT technology, it is crucial not to overlook an equally important aspect: security. These systems handle susceptible data, which can be very appealing to hackers and other malicious actors. At Cogniteq, we place significant emphasis on the security of IoT products delivered by our team. In this article, we would like to share practical insights on the application of DNSSEC solutions in the Internet of Things domain.

Let’s begin with the most basic notions and definitions. DNSSEC is one of the DNS security solutions. That’s why to consider it closer, it is necessary to analyze it in the context of DNS.

The DNS (or the domain name system) is often called the internet’s phonebook as it helps computers to identify each other on the network. Being a hierarchical and decentralized naming system, it is aimed at translating domain names that can be easily perceived by a human into IP addresses that are readable for machines. 

This unseen giant of the online world ensures our digital communications reach their intended destinations by associating various information with domain names.

The DNS plays a crucial role in the online space and digital communication. Thanks to this, we can be sure that the relevant data will be associated with the intended domain name. Nevertheless, without proper protection DNS is quite vulnerable to security threats.

Here, it will be logical to proceed to Domain Name System Security Extensions (DNSSEC). DNSSEC is a suite of extensions that adds a layer of security to DNS by ensuring data origin authentication, data integrity, and authenticated denial of existence. In other words, DNS security extensions act as a shield and protect the DNS from various types of cybercrime.

To better understand the work of DNS security extensions, it’s necessary to take a closer look at its fundamental components. We will further explain the work of DNSSEC using the following terms.

• DNSKEY (DNS Public Key Record). It contains the public key that is used to verify the digital signatures (RRSIG) of DNS records in a specific DNS zone.
• RRSIG (Resource Record Signature). It stores the digital signature of a set of DNS records. It is generated with the help of the DNS zone’s private key. To verify the signature and ensure the integrity of the DNS records, resolvers need to use the corresponding public key.
• DS (Delegation Signer). It is used to provide a chain of trust between a child zone (a subdomain) and its parent zone (the authoritative server for the domain). It contains a hash of the child zone’s DNSKEY and is stored in the parent zone. This enables the parent zone to confirm the authenticity of the child zone's DNSKEY record.
• NSEC (Next Secure Record)/NSEC3. This record is used to prove the non-existence of a domain or record in a particular DNS zone when a DNS resolver queries a domain or record that doesn’t exist. This is important for preventing certain attacks.

Before we proceed to the analysis of the working principle of the DNS security extensions, let’s also have a look at how the DNS functions without them.

A regular unprotected DNS query looks the following way. A user queries a domain. Based on this, the DNS resolver contacts a DNS server to get the corresponding IP address. Then, the DNS server provides the requested information such as the IP address, for example. Nevertheless, this process is not secure. An attacker can easily intercept and modify the response.

DNSSEC has entered the arena to change the game.

How is it possible? DNSSEC enhances the security of DNS by adding digital signatures to DNS records. Such signatures can ensure that the data received from DNS servers is authentic. And that it hasn't been tampered with. In other words, when DNSSEC is applied, all answers to DNS requests will also include not only record types that were initially requested but also so-called RRSIG records.

These digital signatures should be verified with the help of the correct public keys that are contained in the DNSKEY.

It’s vital to highlight that DNS security extensions do not ensure the confidentiality of data. DNS data is not encrypted. However, the DNSSEC protocol provides its authentication which proves that data is provided from a legitimate source. Moreover, it can verify that the data has not been altered while being transmitted. This enhances its integrity.

Given the peculiarities and nature of the Internet of Things systems, it’s quite obvious that IoT solutions greatly differ from traditional web apps. Nevertheless, a lot of IoT devices rely on the DNS for getting the IP addresses of the remote services they may need for different purposes (for example, when they need to send some sense data). 

The use of DNS security solutions in IoT environments is highly important. Without proper protection, DNS messages can be manipulated and IoT devices can be redirected to a malicious service. As a result, user privacy and safety can be jeopardized. Moreover, DNSSEC also provides IoT devices with extra means to check the authenticity of remote services. Here is how it is done.

Integrity and authenticity of DNS data in IoT networks

DNSSEC ensures that DNS responses haven’t been altered during transmission. As well as in the case of any other types of solutions, the DNS resolver in IoT systems verifies the cryptographic signatures in DNS records using the DNSKEY record.

Let’s take a closer look at the role of DNSSEC in cyber security and how it helps to protect IoT systems from various types of attacks.

DNS spoofing (cache poisoning)

DNS spoofing presupposes the redirection of IoT devices to malicious servers. This can result in data theft or control over the device. DNSSEC ensures that DNS responses sent to IoT devices are authentic by adding cryptographic signatures to DNS records. It means that attackers cannot forge DNS responses or inject malicious IP addresses into the device’s DNS cache.

Thanks to this, IoT devices can communicate only with legitimate servers, which reduces the risk of being hijacked by attackers.

Man-in-the-middle attacks (MITM)

IoT systems are also highly vulnerable to man-in-the-middle attacks. In such cases, attackers intercept and alter communication between IoT devices and servers.

With all DNSSEC benefits and characteristics, it can successfully prevent such situations. Because of the protection of DNS queries and responses with digital signatures, even if attackers intercept the traffic, they won’t be able to modify the DNS data without being detected.

Botnet attacks

A botnet (“robot network”) is a term used to describe a network of computers that are infected by malware. IoT devices can be targeted by such botnets with a view of being further hijacked and used in Distributed Denial of Service (DDoS) attacks.

DNSSEC can help mitigate these attacks. This is possible thanks to ensuring that compromised devices cannot be redirected to malicious command-and-control servers via fake DNS entries.

The implementation of DNSSEC is traditionally organized in the following way.

Step 1. Assessment of the IoT infrastructure. First of all, it is necessary to identify the devices that rely on DNS for communication and to check whether their DNS resolvers can support DNSSEC. It is also required to identify the DNS zones that should be protected with DNSSEC. 

Step 2. Configuration of DNSSEC on authoritative DNS servers. For this step, it is necessary to generate public/private key pairs; sign all DNS records in the chosen zone; publish the DS record in the parent zone; and set up procedures for regular key rotation.

Step 3. Configuration of DNSSEC on DNS resolvers. It is necessary to introduce DNSSEC validation on the DNS resolvers. In this case, it is possible to use local DNSSEC-enabled resolvers within the network that you work with or rely on external DNS resolvers like Google Public DNS or Cloudflare DNS.

Step 4. DNSSEC configuration testing. To verify DNSSEC implementation, it is recommended to run tests on the authoritative servers and the DNS resolvers.

Step 5. Implementation of NSEC/NSEC3 for proof of non-existence. This will ensure that attackers cannot spoof non-existent domain responses or infer domain structure from the DNS zone.

Step 6. Integration of DNSSEC with other security protocols. DNSSEC can be combined with other IoT security measures to provide comprehensive protection. The use of DNS over HTTPS or TLS will help to encrypt DNS queries. At the same time, the implementation of PKI (Public Key Infrastructure) will enable secure authentication of IoT devices.

Step 7. General testing and deployment of updates. When DNSSEC is implemented in the IoT network, thorough testing of each aspect of the system is required. With running stress tests and attack simulations, you can be sure that DNSSEC effectively protects IoT devices from these vulnerabilities.

Step 8. Regular monitoring and maintenance. Monitoring of DNS queries and DNSSEC signature validation on IoT devices will help to detect any DNS-related security issues. Thanks to regular updates of DNSSEC keys and maintaining the chain of trust, you can ensure continuous protection of your devices in the IoT network.

The implementation of DNSSEC in IoT environments is often associated with several challenges that should be addressed. Here are some of the key things to take into account.

• Limited processing power. Older or low-power IoT devices may have minimal processing capabilities. Nevertheless, the verification of  DNSSEC cryptographic signatures requires computational resources.
• Limited memory resources. DNSSEC adds overhead by including additional DNSKEY, RRSIG, and DS records in DNS responses. Storing and processing these additional records may be problematic for IoT devices with limited memory.
• Battery life. The process of DNSSEC validation can drain the battery life of low-power IoT devices, especially those that have small batteries.
• Lack of DNSSEC support. Some  IoT devices may not have DNSSEC capabilities. This is particularly problematic in large IoT systems where upgrading or replacing devices is costly.

To address such challenges, it is recommended to introduce external DNS resolvers that can be used to validate DNS responses. In such a case, IoT devices do not need to handle signature verification directly.

• Dynamic IoT devices. As many IoT devices, like wearables, are mobile, they connect to different networks over time. As a result, devices may need to query different DNS resolvers that may or may not support DNSSEC.

When you have such devices, you can use trusted DNS resolvers for mobile IoT devices.

• DNSSEC validation delays. IoT systems often operate in real-time environments. Any delay can impact the performance of time-sensitive apps. However, DNSSEC validation requires signature verification, which can introduce latency

To address this issue, you can use local or edge-based DNS resolvers to minimize latency. This will help to ensure that critical real-time IoT systems are not affected by verification delays.

• Configuration complexity. The implementation of DNSSEC includes a series of steps that can be rather complicated and time-consuming tasks, especially for specialists with limited experience in DNSSEC.

The best way to overcome this challenge is to rely on a professional team, like Cogniteq, that has relevant knowledge and experience in building and protecting IoT systems.

The introduction of DNSSEC in IoT systems can significantly enhance their security and ensure the required protection of sensitive business data. Nevertheless, given some challenges related to this process, it’s important to have some specific knowledge to do it correctly. Proper protection of your business apps and data is key to stable business performance. That’s why you should address it with due diligence.

Need any technical help with your existing IoT network or want to build a new solution? Cogniteq can become your reliable partner. Share your ideas with us and our experts will offer you the best approach to their realization. Do not hesitate to contact us!