This guide below shows you how to enable DNSSEC in cPanel and at your domain registrar in order to avoid man-in-the-middle attacks, cache poison attacks and other types of DNS forgeries.
Given how the Internet presently defines every aspect of our lives, it is often easy to forget that the Domain Name System (DNS) that forms its central core is held together by ducts and tapes.
When DNS was designed in the 1980s, the Internet was much smaller and security was never a consideration as those within the network trusted each other.
The world has changed.
The advances in technology have enabled the internet to become part of the fabric of our day to day existence.
This has created opportunities for DNS exploits which include DNS spoofing/cache poisoning, DNS tunneling, DNS hijacking, NXDOMAIN attack, phantom domain attack, botnet-based CPE attack, and others.
Take a situation where a recursive resolver sends a query to an authoritative name server.
As it is now, the resolver has no way of verifying the authenticity of the response.
It can only check that the response appears have come from the same IP address, where the resolver sent the original query to but cannot easily detect a forged response to one of its queries if one is present.
An attacker can easily masquerade as the authoritative server, hijack the DNS lookup to send a user to a fraudulent website that distributes malware or collect personal information without the user realizing it.
The engineers in the Internet Engineering Task Force (IETF) (the organization responsible for the DNS protocol standards) knew about this weakness and have been searching for a solution.
This effort resulted in what we know today as the DNSSEC Security Extensions (DNSSEC).
DNSSEC (designed to be backward-compatible) is a set of extensions that add extra security to the DNS protocol by implementing a hierarchical digital signing policy across all layers of DNS.
Among its core function is for it to serve as effective protection against DNS spoofing attacks … when implemented correctly.
The data origin authentication of the DNS requests validation allows a resolver to cryptographically verify that the data it received, actually came from the zone where it believes the data originated.
And the data integrity protection allows the resolver to know that the data hasn’t been modified in transit since it was originally signed by the zone owner with the zone’s private key.
In keeping with our promise that our customers will always get access to the best and latest features that cPanel offers, we are happy to announce that you can now enable DNSSEC for your domain on all of our cPanel production servers.
We have created a detailed guide on how to do this at https://dashboard.webhostingmagic.com/knowledgebase/23/DNSSEC
When you enable it, DNSSEC adds a layer of authentication on top of your DNS, thus giving you a way to avoid all those issues that we mentioned above.
At the moment, DNSSEC is not automatic.
After creating the key in cPanel, it needs to be specifically enabled by you the domain name owner at your zone’s authoritative servers.
The process differs from every registrar but just as you can make other changes to a zone (such as a zone’s authoritative name servers), you can also update the zone’s public key material to complete the implementation of DNSSEC.
On this page, we have listed some of the commonest domain registrars that some of our customers hosting their DNS outside our systems have used.
If yours is not listed, please contact your domain registrar support team for help.
BIG WARNING: DO NOT IGNORE THIS WARNING
The first question you really need to ask yourself is, should I enable DNSSEC?
The reason you need to answer this question is that enabling DNSSEC fundamentally alters the way you relate or manage your domain and DNS records.
For example, once you enable DNSSEC for your domain, you cannot change your name servers willy-nilly.
Before changing name-servers, you have to disable DNSSEC and wait for at least 72 hours before making such changes.
Failure to do that may result in your domain not resolving.
Another example is when you have to transfer a domain name to another registrar or web hosting service provider.
You have to first remove the Domain Server (DS) records, wait for the changes to propagate before initializing the transfer.
If you do not remove the old DS records from the registrar, the domains may produce DNS resolution issues due to invalid DNSSEC responses.
Now that is out of the way, below are links you may need to complete the DNSSEC enablement at your domain registrar.
Registrar |
Instructions |
123 Reg |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. |
DNSimple | |
domaindiscount24 | |
dotster |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. |
DreamHost |
In DreamHost, use 2 as the Digest Type instead of SHA256. |
dynadot | |
Enom |
At the time of this writing, Enon’s default name servers does not support the creation of the appropriate resource records to create a proper DNSSEC chain. Learn more at Adding a DNSSEC to a Domain Name |
gandi |
In gandi, make sure you select Algorithm 13 for the Algorithm dropdown. |
GoDaddy |
To configure a DS record with GoDaddy, perform the following steps:
|
godzone |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. In the godzone web control panel, you might be able to add a DS record under the Domains tab. |
Google Domains |
If you’re using Google Domains name servers, you can turn on DNSSEC with one click. Follow these instructions:
When you turn on DNSSEC, it takes roughly 2 hours for DNSSEC to activate completely. When you turn it off, there’s a delay of up to 2 days before deactivation. If you have custom name servers, you may need a third-party DNS provider to configure DNSSEC for your domain. Additionally, you must activate DNSSEC on Google Domains. Follow the instructions below:
Google Cloud DNS & DNSSECIf DNSSEC was enabled during the DNS zone creation, select the DNSSEC to On and click save. Google Cloud DNS will create DNSSEC records for public keys (DNSKEY), signatures (RRSIG), and non-existence (NSEC, or NSEC3 and NSEC3PARAM) to authenticate your zone’s contents and manage them automatically. Once this action has been performed, it is time to deal with the Registrar part. Click on the Zone name, then Registrar Setup at the top right to view the DNSSEC resource records to update in your domain. You will get these values which you will need to secure the domain name at your registrar to.
|
hover | |
internet.bs |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. You might be able to add a DS record:
|
Joker.com |
In Joker.com, use 2 as the Digest Type instead of SHA256. |
MarkMonitor |
MarkMonitor supports verification Algorithm 13 and automatically implements the Extensive Provisioning Protocol (EPP) to pass DS records to the registry for the following TLDs: .com, .biz, .net, .org, .us, .eu, .fr, .de, .co, .lu, .ch, .be, .li, .co.uk, .wf, .tf, .pm, .yt, .se, .af, .cx, .gs, .hn, .ki, .nf, .sb, .tl, .re To add a DS record, enter the DS data in the DNSSEC Details panel of the MarkMonitor management portal. |
Moniker |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. You might be able to add a DS record:
|
name.com | |
namecheap |
To configure a DS record with NameCheap, perform the following steps:
|
OpenSRS |
To configure a DS record with OpenSRS, perform the following steps:
|
nameISP |
How do I enable DNSSEC for my domain? Enabling DNSSEC in nameISP does not require you to copy and paste the DS record data from your Web Hosting Magic cPanel account. |
namesilo | |
OVH |
OVH supports DNSSEC with Algorithm 13 through their API. See the documentation. OVH also supports adding the DS record via their DNS Manager. |
Public Domain Registry |
Contact your registrar’s customer support and provide the DS record data you generated at Web Hosting Magic cPanel. This registrar might have limited TLDs. |
register.com |
Contact your registrar’s customer support and provide the DS record data you generated with Web Hosting Magic cPanel. |
registro.br |
DNS e DNSSEC Tutoriais (in Portuguese) |
Tsohost |
Contact your registrar’s customer support and provide the DS record data you generated with Web Hosting Magic cPanel. |
When DNSSEC has been successfully applied to your domain, you can confirm by reviewing the WHOIS information for your domain.
Domains with DNSSEC will read “signedDelegation” in the DNSSEC field.
You can also use an online tool such as http://dnsviz.net/ or https://dnssec-analyzer.verisignlabs.com/ to validate your DNSSEC.