Protect your domain against cache poisoning.
A DNS server is used to obtain the IP address that corresponds to a domain name (the website URL, and it can be seen as a directory. The IP address is needed so that your browser can contact the web server responsible for the site you want to visit, as the IP address identifies each machine connected to the internet in a unique manner, exactly like a phone number. It's a small but crucial link for internet security.
In recent years, hackers have developed methods of infecting DNS servers which enable them to divert traffic to their servers (phishing etc.) by falsifying the responses given by the DNS directory.
To find out how to configure DNSSEC on your dedicated server, follow this guide.
What is a DNS?
The user enters the address www.ovh.ie in the internet browser. A query is sent to the DNS server which returns the corresponding IP address: 18.104.22.168.
The internet browser now knows the IP address of the server containing the page www.ovh.ie. It sends a query to this IP address which returns the page content.
Danger: Cache Poisoning
A hacker has discovered a flaw in the DNS server. They manage to get into the server and change the address corresponding to www.ovh.ie us in the IP of a server that belongs to them: 203.0.113.78.
When the user enters the address www.ovh.ie, the browser goes to the DNS server to retrieve the corresponding IP address. The infected DNS returns the address made by the hacker: 203.0.113.78.
The browser uses this IP address to obtain the site's content. The rogue server sends back a page like www.ovh.ie, for example to obtain their personal data (phishing).
What is DNSSEC?
DNSSEC secures the authenticity of the DNS response. When the browser sends a request, it comes back with an authentication key, certifying that the IP given is correct.
The user is then given access to the right place on receiving an IP validated by DNSSEC
If a hacker tries to modify the table contained in the DNS server protected by DNSSEC, it will refuse the requests as the information sent is not signed.
Check out the interview with Stéphane Lesimple, domain names manager at OVH.