Universal DNSSEC

Secure Your Domain Against DNS Vulnerabilities, For Free.

DNSSEC improves the trust and integrity of DNS. Often referred to as the phone book of the Internet, DNS translates domain names into numeric Internet addresses. However, DNS is a fundamentally insecure protocol. It does not guarantee where DNS records come from, and it accepts any address given to it, no questions asked.

Cloudflare offers easy-to-use DNSSEC, and it only takes a few minutes to set up.

What Is DNSSEC?

DNSSEC adds a layer of security to an otherwise insecure protocol by verifying DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative nameserver and not a man-in-the-middle attacker. With DNSSEC, those visiting your domain are guaranteed to see the content on your website and not somebody else’s web server.

Learn more about how DNSSEC works.

Why Does DNSSEC Matter?

DNS cache poisoning and answer forgery has been a known vulnerability in the global DNS infrastructure since the beginning of DNS, for example the well-known Kaminsky attack. Cache poisoning occurs when an attacker tricks a DNS nameserver into storing incorrect records. Until the cache entry expires, that nameserver will return the fake DNS records to everyone else that asks.

This allows an attacker to hijack traffic to your website. Instead of being directed to your website when they type your domain into a web browser, your visitors are routed to somebody else’s server without even knowing something went wrong. Attackers can use DNS hijacking for phishing schemes, serving unsolicited advertisements, monitoring web traffic, and blocking access to specific domains.

If you care about the integrity and reputation of your website, you should care about DNSSEC.

Introducing Universal DNSSEC

DNSSEC adds a layer of security to an otherwise insecure protocol by verifying DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative nameserver and not a man-in-the-middle attacker. With DNSSEC, those visiting your domain are guaranteed to see the content on your website and not somebody else’s web server.

With Universal DNSSEC, your web property will benefit from:

  • Protection from DNS man-in-the-middle attacks
  • Protection from DNS zone enumeration
  • A user-friendly solution for meeting .bank, .trust, and .gov TLD requirements

DNSSEC prevents man-in-the-middle attacks by establishing a chain of trust all the way up to the root DNS nameservers. This chain of trust ensures that the DNS records a visitor asked for haven’t been tampered with en-route.

Cloudflare’s unique DNSSEC implementation leverages elliptic curve cryptography to prevent attackers from walking your zone and discovering private DNS records.

Top-level domains (TLDs) like .bank and .trust are designed to convey trust to visitors. This is accomplished by requiring domain owners to follow various security protocols, including DNSSEC. Implementing DNSSEC on your own can be a difficult, error-prone process. Cloudflare lets you fulfill your DNSSEC requirement with only a few clicks.

DNSSEC at Scale

Cloudflare protects billions of requests a day with DNSSEC. That’s hundreds of millions of people a week protected from DNS cache poisoning and man-in-the-middle attacks.

Universal DNSSEC is built on top of the Cloudflare network, which has withstood some of the largest DDoS attacks in the world. We’ve even taken special precautions to make sure our DNSSEC implementation isn’t abused for DDoS amplification attacks. You can rest assured that your DNS records are returned to visitors quickly and efficiently, even when your website is under attack.

Cloudflare helped Montecito Bank & Trust secure their domain and fulfill the requirements of the .bank extension. Read our case study to learn more

Cloudflare Makes DNSSEC Easy

Universal DNSSEC is now available to all websites on Cloudflare, for free. We’ll do all the heavy lifting by signing your zone and managing the keys. Protecting your domain from DNS forgeries is just a few clicks away. All you need to do is enable DNSSEC in your Cloudflare dashboard and add one DNS record to your registrar.

  1. Log in to your Cloudflare dashboard.
  2. Open the DNS app.
  3. Scroll down to the DNSSEC module.
  4. Click Enable DNSSEC.
  5. A pop-up will open with instructions for how to add the DS record to your registrar.
  6. Copy the DS record and paste it into your registrar’s dashboard.

Once your registrar publishes the DS record, your domain will be DNSSEC-enabled. You can verify your DNSSEC configuration with the third-party DNSViz tool.

Universal DNSSEC is designed to work seamlessly with all other Cloudflare security and performance features, including Universal SSL, a global CDN, and automatic web content optimization.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /mo per website
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /mo per website
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /mo per website
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to TLS 1.2 only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / mo
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Pro

$ 20 / mo
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.
MOST POPULAR

Business

$ 200 / mo
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.