DNSSEC Security

DNSSEC is a security system that gives DNS servers the ability to verify that the information they receive is reliable. DNSSEC uses a similar public / private key cryptographic system to HTTPS, except that DNSSEC only uses the keys to sign records, not to encrypt them. The authoritative DNS records are signed by a private key which is kept secret. The signature (RRSIG) is uploaded as a special type of DNS record, as is the public key (DNSKEY). Servers that request the DNS records (RRSet), also receive the signature and the public key, and can verify that the records have been signed with the private key. If the records have been signed with the right key, it is strong evidence that they are valid.

Hence, criminals are unlikely to have access to the private key. If fake records are injected into a DNS server, they won’t have the right signature, and the server sending the request will know the records are bad. Additionally, DNS servers higher up the hierarchy are able to validate the information contained in the records of the server immediately below them. When looking up blog.webnames.ca, for example, the root domain validates .ca, which validates webnames, which validates blog in a chain of trust. In reality, DNSSEC is more complex than the sketch I have outlined here, but you should now have a good understanding of what DNSSEC is and why it is an important contributor to the security of your business and customers.

Given the security a validated IP address provides, one might ask why aren’t more businesses using DNSSEC? Unfortunately, awareness of DNSSEC and DNS is still lacking. While some government agencies and financial institutions now require DNSSEC to be implemented on domain names, the MUSH sector (municipalities, universities, schools, hospitals), ISPs, and ecommerce retailers still lag behind. We take the extra step and have adotped this important aspect of security for all our clients.

You can check here to verify it is enabled for your site.  DNSSEC Verification

What is a DDoS Attack

A Distributed Denial of Service attack (DDoS) seeks to make an online service unavailable to its end users.  Our DN servers provides mitigation of DDoS attacks including DNS attacks, and network Layer 3, 4, and 7 attacks.

Our DNS network is built to automatically monitor and mitigate large DDoS attacks.

Why Anycast

  • Load Balancing / Speed Boost:  The Anycast network utilizes 27 POPs ( points of presence ) available for every domain. This has an immediate positive effect on response times as queries are evenly distributed based on geographical source and servers load.
  • Improved Reliability: Forget about downtime and performance issues – Anycast network has multiple geographically dispersed servers that reroute traffic from any POPs when there are issues that impair performance and provide the highest SLA when possible.
  • By having Multiple DDoS Protection Providers: DDoS attacks are quickly neutralized thanks to a large number of DDoS mitigation providers that localize DDoS attacks, restrict such attacks to only a portion of the Anycast DNS group and a portion of our network, minimizing the risk of downtime.
  • Multiple DDoS Cleaning Facilities: Our additional security layer detects malicious traffic and cleans the traffic before accessing our dns servers network.
  • Real Hardware at Each POP:   DNS network use real hardware at each POP thus reducing the initial time for response for each domain making it almost instantaneous.
  • Route Monitoring on Every POP: The Anycast system automatically analyses the shortest paths for each POPs, both local and global, and reroutes them through the lowest latency geographical location with zero downtime.
  • Dual Stack Network: The Anycast Network is a full dual stack network – IPv4 and IPv6 available at each of our POPs.
  • Autonomous System: What truly puts our system in a league of its own is its autonomous responses issued within 15 seconds. A great advantage as it reduces the time for human intervention.