Search
Close this search box.

How to Secure your website DNS with DANE ?

Table of Contents

 

What do you have to know about this?

DANE : (DNS-based Authentication of Named Entities)

DNS : (Domain Name Server)

Having your website running on SSL is no longer enough since there is no way to know that your if your certificate is a valid one or it is one forged by a Man in the middle type of attack. With DANE adding another layer of security by tying the x509 certificate generated for your own web site to the DNS of your website.

This installation would be using DNSSEC on PoweDNS with mysql backend as a dns server

It will use a self signed certificate to show you that it is possible of securing a website using self signed certificates. (no need to purchase one for testing)

Using a self signed certificate is not recommended when you are using a high profile website

For this example will be using the domain of this website vpsie.tk. Note .tk is not a secured top level domain therefore if you verify any domain using .tk you would be most probably getting some error messages.

This is how to add a domain to powerdns and create the most important records. Will assume that’s done already.
First will check the domain to make sure that there are no errors in your records.

#pdnssec check-zone vpsie.tk Checked 12 records of 'vpsie.tk', 0 errors, 0 warnings.

Next we will check if your zone is already seccured or not.

 # pdnssec show-zone vpsie.tk
Zone is not actively secured
Zone is not presigned
No keys for zone 'vpsie.tk'.
After we verified and made sure that our domain is not secured. You will need to decide between NSEC3 and NSEC3 narrow. Will be using NSEC3 narrow since using NSEC3 will need to rectify the zone after every change by running pdnssec rectify-zone domain.com but don't want that extra layer of complexity. 
To enable the dnssec for the zone run:

#dnssec secure-zone vpsie.tk
Zone vpsie.tk secured
 Adding NSEC ordering information 
Set the zone as NSEC3 narrow
#pdnssec set-nsec3 vpsie.tk '1 1 10 beef' narrow
NSEC3 set, please rectify-zone if your backend needs it

After you done that let’s check the domain again:

pdnssec show-zone vpsie.tk |grep DS
DS = z0z0.tk IN DS 13847 8 1 432de11bd8a82237725ad709a271b61ab8fe322b ; ( SHA1 digest )
DS = vpsie.tk IN DS 13847 8 2 082cce39ea9b320e38091f5d58ed85879bce37aaf52ebd6bb47f1b20aad03831 ; ( SHA256 digest )
DS = vpsie.tk IN DS 13847 8 3 1179f20f100866dd1c313c8a4e9532154d189b2392dd3d1489961a02436f5c45 ; ( GOST R 34.11-94 digest )
DS = vpsie.tk IN DS 13847 8 4 e62269b6b212a7a060e95bfe3787a0e0dbe811123c83f2563e3a8418a6b1dcf418305def8de9d372392802524b6e41fe ; ( SHA-384 digest )

You will need to add the DS records to your domain registrar. If the registrar does not support that temporarly you can add it to DLV ISC until your registrar would implement it. After everything is set up you can check your dnssec at the Verisign analyzer. http://dnssec-debugger.verisignlabs.com/

 

As I said earlier that .tk does not support DS records therefore in the image you will see the errors related to that.
Now it’s time to create the TLSA Record for your webserver. To do this we are using the TLSA Record Generator (https://ssl-tools.net/tlsa-generator) . When you filled the form click on the Generate button and you will get as result something like this:
Record generator result To add it to the powerdns login to your mysql server which holds the database for the powerdns and run the following command:

mysql>insert into records(domain_id, name, type, content, ttl) values (X,'_443._tcp.vpsie.tk.','TLSA','3 0 1 27ece48f3c037aa57fdf17924dc395a86585158d34f3e80bc13d65f9b92a1d7e', '3600');
Query OK, 1 row affected (0.09 sec)

where the X = id of your domain will be taken from the domains table.

Check the record of your domain via dig comand:

dig type52 _443._tcp.vpsie.tk ; <<>> DiG 9.8.3-P1 <<>> type52 _443._tcp.vpsie.tk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63286 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_443._tcp.vpsie.tk. IN TLSA ;; ANSWER SECTION: _443._tcp.vpsie.tk. 3599 IN TLSA 3 0 1 27ECE48F3C037AA57FDF17924DC395A86585158D34F3E80BC13D65F9 B92A1D7E ;; Query time: 317 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Dec 4 01:34:02 2014 ;; MSG SIZE rcvd: 82

Currently there is no modern browsers does support DANE by default but luckily there is a plugin which can be installed on majority of the modern browsers downloadable – You can find appropriate one to your browser by searching for DANE plugin and browser name.

Example : DANE plugin chrome

 

An introduction to UFW

DANE stands for DNS-based Authentication of Named Entities. It is a security protocol that uses the DNS system to verify the authenticity of digital certificates used in secure connections.

DANE adds a layer of security to the DNS system, which translates domain names into IP addresses. It does this by allowing website owners to publish their digital certificates in DNS records, which can be verified by clients attempting to connect to the website.

DANE is essential for website security because it helps to prevent man-in-the-middle attacks and other forms of DNS hijacking, which can be used to steal sensitive data or compromise website security. By verifying the authenticity of digital certificates through DNS records, DANE provides an additional layer of protection against these types of attacks.

Implementing DANE for your website requires a few steps. First, you must obtain a digital certificate from a trusted Certificate Authority (CA) and configure your web server to use it. Then, you will need to add a DNS record to your domain’s DNS zone file that specifies the details of your digital certificate, including its public key and signature. Finally, you will need to configure your web server to use DANE to verify the authenticity of the digital certificate during secure connections.

While DANE has yet to be widely supported by web browsers, several browsers support it, including Firefox, Chrome, and Opera. Additionally, there are plugins and extensions available that can add support for DANE to other browsers.

 DANE can be used with other website security protocols, such as SSL/TLS and DNSSEC, to provide a comprehensive and multi-layered approach to website security. By combining these protocols, website owners can protect their websites against various security threats.

Make a Comment
Share on
Facebook
Twitter
LinkedIn
Print
VPSie Cloud service

Fast and Secure Cloud VPS Service

Try FREE
For a month

The First 1 orders gets free discount today! Try Sign up on VPSie to get a chance to get the discount.