09-04-2018 07:21 PM
Quick question, whats the need of having DNSSEC enabled if Inflobox external DNS security exists in one's environment? I understand that DNSSEC provides authenticity and integrity, it servers as a chain of trust and protects from various attacks like Cache poisoning/DNS hijacking etc.
Would appreciate if someone can share any document or insights regarding the reasons of having both in place.
09-04-2018 11:09 PM
The answer is quite simple. DNSSEC ensures that the response which a client received for a recursive query is indeed from the *right* server. As you said, this would save a caching DNS server/client from DNS hijacking/cache poisining etc.
On the other hand our DNS security solutions like RPZ would ensure that a blacklisted domain is blocked & is not processed by the DNS server. A user can select an appropriate action to handle such requests based on its intensity etc..
Our threat protection solution would safeguard your DNS server from a variety of DNS attacks by analysing the type of DNS traffic / its pattern etc. .Our threat insight solution is similiar to this. It analyses the DNS requests trend based on the query pattern & blacklists a domain if its not legitimate.
Hope this makes sense.
09-05-2018 12:50 AM
Thank you Mohammed Alman.
So you mean the authenticity is provided by DNSSEC and the customers who have not enabled DNSSEC as a product feature are suscetible to various DNS attack risks? How is zone signing and transfer is handled in cases where DNSSEC is not enabled wrt to Infoblox solution specifically,