How to Secure your website DNS with DANE ?

DANE : (DNS-based Authentication of Named Entities)

DNS : (Domain Name Server)

Having your website running on SSL is no longer enough since there is no way to know that your if your certificate is a valid one or it is one forged by a Man in the middle type of attack. With DANE adding another layer of security by tying the x509 certificate generated for your own web site to the DNS of your website.

 

This installation would be using DNSSEC on PoweDNS with mysql backend as a dns server

It will use a self signed certificate to show you that it is possible of securing a website using self signed certificates. (no need to purchase one for testing)

Using a self signed certificate is not recommended when you are using a high profile website

For this example will be using the domain of this website vpsie.tk. Note .tk is not a secured top level domain therefore if you verify any domain using .tk you would be most probably getting some error messages.

This is how to add a domain to powerdns and create the most important records. Will assume that’s done already.
First will check the domain to make sure that there are no errors in your records.

 

#pdnssec check-zone vpsie.tk Checked 12 records of 'vpsie.tk', 0 errors, 0 warnings.

Next we will check if your zone is already seccured or not.

 # pdnssec show-zone vpsie.tk
Zone is not actively secured
Zone is not presigned
No keys for zone 'vpsie.tk'.
After we verified and made sure that our domain is not secured. You will need to decide between NSEC3 and NSEC3 narrow. Will be using NSEC3 narrow since using NSEC3 will need to rectify the zone after every change by running pdnssec rectify-zone domain.com but don't want that extra layer of complexity. 
To enable the dnssec for the zone run:

#dnssec secure-zone vpsie.tk
Zone vpsie.tk secured
 Adding NSEC ordering information 
Set the zone as NSEC3 narrow
#pdnssec set-nsec3 vpsie.tk '1 1 10 beef' narrow
NSEC3 set, please rectify-zone if your backend needs it

After you done that let’s check the domain again:

pdnssec show-zone vpsie.tk |grep DS
DS = z0z0.tk IN DS 13847 8 1 432de11bd8a82237725ad709a271b61ab8fe322b ; ( SHA1 digest )
DS = vpsie.tk IN DS 13847 8 2 082cce39ea9b320e38091f5d58ed85879bce37aaf52ebd6bb47f1b20aad03831 ; ( SHA256 digest )
DS = vpsie.tk IN DS 13847 8 3 1179f20f100866dd1c313c8a4e9532154d189b2392dd3d1489961a02436f5c45 ; ( GOST R 34.11-94 digest )
DS = vpsie.tk IN DS 13847 8 4 e62269b6b212a7a060e95bfe3787a0e0dbe811123c83f2563e3a8418a6b1dcf418305def8de9d372392802524b6e41fe ; ( SHA-384 digest )

You will need to add the DS records to your domain registrar. If the registrar does not support that temporarly you can add it to DLV ISC until your registrar would implement it. After everything is set up you can check your dnssec at the Verisign analyzer. http://dnssec-debugger.verisignlabs.com/

 

As I said earlier that .tk does not support DS records therefore in the image you will see the errors related to that.
Now it’s time to create the TLSA Record for your webserver. To do this we are using the TLSA Record Generator (https://ssl-tools.net/tlsa-generator) . When you filled the form click on the Generate button and you will get as result something like this:
Record generator result To add it to the powerdns login to your mysql server which holds the database for the powerdns and run the following command:

 

mysql>insert into records(domain_id, name, type, content, ttl) values (X,'_443._tcp.vpsie.tk.','TLSA','3 0 1 27ece48f3c037aa57fdf17924dc395a86585158d34f3e80bc13d65f9b92a1d7e', '3600');
Query OK, 1 row affected (0.09 sec)

 

where the X = id of your domain will be taken from the domains table.

Check the record of your domain via dig comand:

dig type52 _443._tcp.vpsie.tk ; <<>> DiG 9.8.3-P1 <<>> type52 _443._tcp.vpsie.tk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63286 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_443._tcp.vpsie.tk. IN TLSA ;; ANSWER SECTION: _443._tcp.vpsie.tk. 3599 IN TLSA 3 0 1 27ECE48F3C037AA57FDF17924DC395A86585158D34F3E80BC13D65F9 B92A1D7E ;; Query time: 317 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Dec 4 01:34:02 2014 ;; MSG SIZE rcvd: 82

Currently there is no modern browsers does support DANE by default but luckily there is a plugin which can be installed on majority of the modern browsers downloadable – You can find appropriate one to your browser by searching for DANE plugin and browser name.

 

Example : DANE plugin chrome