DNSSEC service

Protect your data from DNS cache poisoning

Understanding DNSSEC

A DNS server obtains the IP address that corresponds to a specific domain name (the website URL). It can be seen as a sort of directory. Your browser needs the IP address to contact the web server hosting the website you want to visit. The IP address identifies each machine connected to the internet in a unique manner, exactly like a phone number. It's a small but crucial link for internet security.

In recent years, hackers have developed methods of poisoning DNS servers that enable them to divert traffic to their servers (phishing etc.) by falsifying the responses given by the DNS directory.

Enable DNSSEC

This guide will show you how to configure a DNSSEC zone on your dedicated server.

See the guide

What is a DNS?

The user enters www.ovh.com in their browser. A query is then sent to the DNS server, which returns the corresponding IP address: 213.186.33.34.

The internet browser now knows the IP address of the server hosting the page. It then sends a query to this IP address which returns the content of the page.

What's the danger? Cache Poisoning

A hacker has discovered a flaw in the DNS server. They manage to access the server and replace the IP address corresponding to www.ovh.com with one belonging to them: 203.0.113.78.

When the user enters www.ovh.com in their browser, the DNS server will retrieve the IP address added by the hacker instead of the real one.

The browser uses this IP address to obtain the site's content. The rogue server sends back a page that looks like www.ovh.com, which can be used to obtain the user's personal data (phishing).

What is DNSSEC?

DNSSEC guarantees the authenticity of the DNS response. When the browser sends a request, it receives an authentication key, certifying that the IP provided is correct.

An IP validated by DNSSEC therefore guarantees that the user will be granted access to the correct website.

If a hacker tries to modify the table in a DNS server protected by DNSSEC, it will refuse the request, as the information supplied will not have been signed.