Universal DNSSEC

Secure Your Domain Against DNS Vulnerabilities, For Free.

DNSSEC improves the trust and integrity of DNS. Often referred to as the phone book of the Internet, DNS translates domain names into numeric Internet addresses. However, DNS is a fundamentally insecure protocol. It does not guarantee where DNS records come from, and it accepts any address given to it, no questions asked.

Cloudflare offers easy-to-use DNSSEC, and it only takes a few minutes to set up.

What Is DNSSEC?

DNSSEC adds a layer of security to an otherwise insecure protocol by verifying DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative nameserver and not a man-in-the-middle attacker. With DNSSEC, those visiting your domain are guaranteed to see the content on your website and not somebody else’s web server.

Learn more about how DNSSEC works.

Why Does DNSSEC Matter?

DNS cache poisoning and answer forgery has been a known vulnerability in the global DNS infrastructure since the beginning of DNS, for example the well-known Kaminsky attack. Cache poisoning occurs when an attacker tricks a DNS nameserver into storing incorrect records. Until the cache entry expires, that nameserver will return the fake DNS records to everyone else that asks.

This allows an attacker to hijack traffic to your website. Instead of being directed to your website when they type your domain into a web browser, your visitors are routed to somebody else’s server without even knowing something went wrong. Attackers can use DNS hijacking for phishing schemes, serving unsolicited advertisements, monitoring web traffic, and blocking access to specific domains.

If you care about the integrity and reputation of your website, you should care about DNSSEC.

Introducing Universal DNSSEC

With Universal DNSSEC, your web property will benefit from:

Protection from DNS man-in-the-middle attacks
Protection from DNS zone enumeration
A user-friendly solution for meeting .bank, .trust, and .gov TLD requirements

DNSSEC prevents man-in-the-middle attacks by establishing a chain of trust all the way up to the root DNS nameservers. This chain of trust ensures that the DNS records a visitor asked for haven’t been tampered with en-route.

Cloudflare’s unique DNSSEC implementation leverages elliptic curve cryptography to prevent attackers from walking your zone and discovering private DNS records.

Top-level domains (TLDs) like .bank and .trust are designed to convey trust to visitors. This is accomplished by requiring domain owners to follow various security protocols, including DNSSEC. Implementing DNSSEC on your own can be a difficult, error-prone process. Cloudflare lets you fulfill your DNSSEC requirement with only a few clicks.

DNSSEC at Scale

Cloudflare protects billions of requests a day with DNSSEC. That’s hundreds of millions of people a week protected from DNS cache poisoning and man-in-the-middle attacks.

Universal DNSSEC is built on top of the Cloudflare network, which has withstood some of the largest DDoS attacks in the world. We’ve even taken special precautions to make sure our DNSSEC implementation isn’t abused for DDoS amplification attacks. You can rest assured that your DNS records are returned to visitors quickly and efficiently, even when your website is under attack.

Cloudflare helped Montecito Bank & Trust secure their domain and fulfill the requirements of the .bank extension. Read our case study to learn more

Cloudflare Makes DNSSEC Easy

Universal DNSSEC is now available to all websites on Cloudflare, for free. We’ll do all the heavy lifting by signing your zone and managing the keys. Protecting your domain from DNS forgeries is just a few clicks away. All you need to do is enable DNSSEC in your Cloudflare dashboard and add one DNS record to your registrar.

Log in to your Cloudflare dashboard.
Open the DNS app.
Scroll down to the DNSSEC module.
Click Enable DNSSEC.
A pop-up will open with instructions for how to add the DS record to your registrar.
Copy the DS record and paste it into your registrar’s dashboard.

Once your registrar publishes the DS record, your domain will be DNSSEC-enabled. You can verify your DNSSEC configuration with the third-party DNSViz tool.

Universal DNSSEC is designed to work seamlessly with all other Cloudflare security and performance features, including Universal SSL, a global CDN, and automatic web content optimization.