DNSSEC service

Protect your data from DNS cache poisoning

Understanding DNSSEC

A DNS server obtains the IP address that corresponds to a specific domain name (the website URL). It can be seen as a sort of directory. Your browser needs the IP address to contact the web server hosting the website you want to visit. The IP address identifies each machine connected to the internet in a unique manner, exactly like a phone number. It's a small but crucial link for internet security.

In recent years, hackers have developed methods of infecting DNS servers which enable them to divert traffic to their servers (phishing etc.) by falsifying the responses given by the DNS directory.

Enable DNSSEC

Learn how to configure a DNSSEC zone on your dedicated server.

See the guide

What is a DNS?

The user enters www.ovh.co.uk in their browser. A query is then sent to the DNS server which returns the corresponding IP address: 213.186.33.34.

The internet browser now knows the IP address of the server hosting the page www.ovh.co.uk. It then sends a query to this IP address which returns the content of the page.

What's the danger? Cache Poisoning

A hacker has discovered a flaw in the DNS server. They manage to access the server and replace the www.ovh.co.uk IP address, with an address belonging to them: 203.0.113.78.

When the user enters www.ovh.co.uk in their browser, the DNS server will retrieve the IP address added by the hacker, instead of the real one: 203.0.113.78.

The browser uses this IP address to obtain the site's content. The rogue server sends back a page which looks like www.ovh.co.uk, for example to obtain their personal data (phishing).

What is DNSSEC?

DNSSEC secures the authenticity of the DNS response. When the browser sends a request, it comes back with an authentication key, certifying that the IP given is correct.

The user is then guaranteed access to the correct website, when they receives an IP validated by DNSSEC

If a hacker tries to modify the table contained in the DNS server, protected by DNSSEC, it will refuse the requests, because the sent information is not signed.