DNSSEC improves the trust and integrity of DNS. Often referred to
as the phone book of the Internet, DNS translates domain names into
numeric Internet addresses. However, DNS is a fundamentally insecure
protocol. It does not guarantee where DNS records come from, and it
accepts any address given to it, no questions asked.
Cloudflare offers easy-to-use DNSSEC, and it only takes a few
minutes to set up.
DNSSEC adds a layer of security to an otherwise insecure protocol by verifying DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative nameserver and not a man-in-the-middle attacker. With DNSSEC, those visiting your domain are guaranteed to see the content on your website and not somebody else’s web server.
Learn more about how DNSSEC works.
DNS cache poisoning and answer forgery has been a known
vulnerability in the global DNS infrastructure since the beginning of
DNS, for example the well-known
Cache poisoning occurs when an attacker tricks a
DNS nameserver into storing incorrect records. Until the cache entry
expires, that nameserver will return the fake DNS records to everyone
else that asks.
This allows an attacker to hijack traffic to your website. Instead
of being directed to your website when they type your domain into a
web browser, your visitors are routed to somebody else’s server
without even knowing something went wrong. Attackers can use DNS
hijacking for phishing schemes, serving unsolicited advertisements,
monitoring web traffic, and blocking access to specific domains.
If you care about the integrity and reputation of your website,
you should care about DNSSEC.
DNSSEC adds a layer of security to an otherwise insecure protocol by
verifying DNS records using cryptographic signatures. By checking the
signature associated with a record, DNS resolvers can verify that the
requested information comes from its authoritative nameserver and not a
man-in-the-middle attacker. With DNSSEC, those visiting your domain are
guaranteed to see the content on your website and not somebody else’s
With Universal DNSSEC, your web property will benefit from:
DNSSEC prevents man-in-the-middle attacks by establishing a chain
of trust all the way up to the root DNS nameservers. This chain of
trust ensures that the DNS records a visitor asked for haven’t been
tampered with en-route.
Cloudflare’s unique DNSSEC implementation leverages
elliptic curve cryptography
to prevent attackers from walking your zone and discovering private DNS records.
Top-level domains (TLDs) like .bank and .trust are designed to
convey trust to visitors. This is accomplished by requiring domain
owners to follow various security protocols, including DNSSEC.
Implementing DNSSEC on your own can be a difficult, error-prone
process. Cloudflare lets you fulfill your DNSSEC requirement with only
a few clicks.
Cloudflare protects billions of requests a day with DNSSEC. That’s
hundreds of millions of people a week protected from DNS cache
poisoning and man-in-the-middle attacks.
Universal DNSSEC is built on top of the Cloudflare network, which
has withstood some of the largest DDoS attacks in the world. We’ve
even taken special precautions
to make sure our DNSSEC implementation isn’t abused for DDoS amplification attacks.
You can rest assured that your DNS records are returned to visitors quickly and efficiently, even when
your website is under attack.
Cloudflare helped Montecito Bank & Trust secure their domain and fulfill the requirements of the .bank extension. Read our case study to learn more
Universal DNSSEC is now available to all websites on Cloudflare, for
free. We’ll do all the heavy lifting by signing your zone and managing
the keys. Protecting your domain from DNS forgeries is just a few clicks
away. All you need to do is enable DNSSEC in your Cloudflare dashboard
and add one DNS record to your registrar.
Once your registrar publishes the DS record, your domain will be
DNSSEC-enabled. You can verify your DNSSEC configuration with the
Universal DNSSEC is designed to work seamlessly with all other
Cloudflare security and performance features, including Universal SSL, a
global CDN, and automatic web content optimization.
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.Pick a plan that fits your needs.
for personal websites and blogs
Our mission is to build a better Internet. We believe every website should have free access to foundational security and performance. Cloudflare's Free plan has no limit on the amount of bandwidth your visitors use or websites you add.
If you want to make your site even faster and more resilient, you can easily upgrade to one of our higher tier plans.