Contact Us

DNS Server Security Solutions

With no inherent security, Domain Name System (DNS) servers at a host of organizations have been repeatedly compromised to enable a host of malicious endeavors, including cache poisoning, redirecting phone calls, man-in-the-middle attacks to steal passwords, rerouting email, denial of service attacks, and more.

Domain Name Systems Security Extensions (DNSSEC) secures the DNS server hierarchy by digitally signing DNS records in order to ensure that the messages received are the same as those that were sent.

DNS Server Security Requires Strong Key Security

DNS Server Security - Key Security Icon

DNSSEC essentially implements public key infrastructures (PKI) to provide a method of secure communication between DNS servers. As a PKI, DNSSEC requires some new procedures such as key generation, signing, and key management. But, for all the potential benefits of DNSSEC, the intended gains aren’t guaranteed because the resource records introduced by DNSSEC are kept in an unencrypted file.

It is only when the entire DNSSEC infrastructure is fully and comprehensively secured that organizations can begin to fully enjoy DNSSEC’s benefits. To do so, they need capabilities to do the following:

  • Secure digital signatures. DNS messages need to be digitally signed in order to ensure the validity of DNS services.
  • Control access. Organizations need to ensure only authorized customers and internal staff can access sensitive applications and data.
  • Maintain application integrity. All associated application code and processes need to be secured to ensure integrity and prohibit unauthorized application execution.
  • Scale to accommodate high volume processing. Since DNS updates are very frequent, DNSSEC infrastructures need to deliver the performance and scalability required to ensure timely processing at all times.

DNS Server Security with Hardware Security Modules

Hardware Security Module Icon

To ensure the validity of DNS services, DNSSEC employs public key cryptography to digitally sign DNS messages. To realize the security required, robust protection of private signing keys is vital. If the keys and their corresponding digital certificates are compromised, the chain of trust in the DNS hierarchy is broken, rendering the entire system obsolete. This is where hardware security modules (HSMs) come into play.

HSMs are dedicated systems that physically and logically secure the cryptographic keys and cryptographic processing that are at the heart of digital signatures. HSMs support the following functions:

  • Life-cycle management, including key generation, distribution, rotation, storage, termination, and archival.
  • Cryptographic processing, which produces the dual benefits of isolating and offloading cryptographic processing from application servers.

By storing cryptographic keys in a centralized, hardened device, HSMs can eliminate the risks associated with having these assets housed on disparate, poorly secured platforms. In addition, this centralization can significantly streamline security administration.

SafeNet HSMs for DNSSEC:

  • Support DNSSEC Anchor Trust systems
  • Key security for root and entire DNS hierarchy-ZSK and KSK
  • Powerful cryptographic engine offloads cryptographic burden from DNS server
  • Broad array of HSMs fits multiple DNSSEC requirements
  • Standard APIs including PKCS#11, Java, MS CAPI
  • FIPS validated and Common Criteria certified models available
  • Integrates with leading DNS platforms such as OpenDNSSEC, BIND 9.7, FreeBSD

Download These Featured Resources

HSMs for DNSSEC - Solution Brief

For root, top level domain and enterprise level DNS hierarchies, SafeNet HSMs combine the strongest cryptographic security with the highest performance, reliability and ease of integration f

Get this resource

Building Trust into DNS - White Paper

For all the benefi ts of an open Internet, there is a dangerous fl ip side. Domain name system (DNS) servers are a perfect case in point. With no inherent security, DNS servers at a host of

Get this resource

Crypto 101 - What about the Cryptographic keys - ebook

Organizations need to take centralized approach to securing different types of data in multiple environments as well as managing and maintaining encryption keys and crypto resources.

Get this resource

An Anchor of Trust in a Digital World - White Paper

Considering the growing exposure and potential ramifications of information incidents – such as failed regulatory audits, fines, litigation, breach notification costs, market set-backs

Get this resource
Back to Top

Contact Us

Thank you for your interest in our products. Please fill out and submit the form to receive more information about Gemalto or to be contacted by a Gemalto specialist.

Your Information

* Email Address:  
* First Name:  
* Last Name:  
* Company Name:  
* Phone:  
* Country:  
* State (US Only):  
* Province (Canada/Australia Only):  
Comments:  
 


By submitting this form I agree to receive information from Gemalto and its affiliates as described in our Privacy statement.