DNSSEC improves the trust and integrity of DNS. Often referred to as the phone book of the Internet, DNS translates domain names into numeric Internet addresses. However, DNS is a fundamentally insecure protocol. It does not guarantee where DNS records come from, and it accepts any address given to it, no questions asked.
Cloudflare offers easy-to-use DNSSEC, and it only takes a few minutes to set up.
DNSSEC adds a layer of security to an otherwise insecure protocol by verifying DNS records using cryptographic signatures. By checking the signature associated with a record, DNS resolvers can verify that the requested information comes from its authoritative nameserver and not a man-in-the-middle attacker. With DNSSEC, those visiting your domain are guaranteed to see the content on your website and not somebody else’s web server.
Learn more about how DNSSEC works.
DNS cache poisoning and answer forgery has been a known vulnerability in the global DNS infrastructure since the beginning of DNS, for example the well-known Kaminsky attack. Cache poisoning occurs when an attacker tricks a DNS nameserver into storing incorrect records. Until the cache entry expires, that nameserver will return the fake DNS records to everyone else that asks.
This allows an attacker to hijack traffic to your website. Instead of being directed to your website when they type your domain into a web browser, your visitors are routed to somebody else’s server without even knowing something went wrong. Attackers can use DNS hijacking for phishing schemes, serving unsolicited advertisements, monitoring web traffic, and blocking access to specific domains.
If you care about the integrity and reputation of your website, you should care about DNSSEC.
With Universal DNSSEC, your web property will benefit from:
DNSSEC prevents man-in-the-middle attacks by establishing a chain of trust all the way up to the root DNS nameservers. This chain of trust ensures that the DNS records a visitor asked for haven’t been tampered with en-route.
Cloudflare’s unique DNSSEC implementation leverages elliptic curve cryptography to prevent attackers from walking your zone and discovering private DNS records.
Top-level domains (TLDs) like .bank and .trust are designed to convey trust to visitors. This is accomplished by requiring domain owners to follow various security protocols, including DNSSEC. Implementing DNSSEC on your own can be a difficult, error-prone process. Cloudflare lets you fulfill your DNSSEC requirement with only a few clicks.
Cloudflare protects billions of requests a day with DNSSEC. That’s hundreds of millions of people a week protected from DNS cache poisoning and man-in-the-middle attacks.
Universal DNSSEC is built on top of the Cloudflare network, which has withstood some of the largest DDoS attacks in the world. We’ve even taken special precautions to make sure our DNSSEC implementation isn’t abused for DDoS amplification attacks. You can rest assured that your DNS records are returned to visitors quickly and efficiently, even when your website is under attack.
Cloudflare helped Montecito Bank & Trust secure their domain and fulfill the requirements of the .bank extension. Read our case study to learn more
Universal DNSSEC is now available to all websites on Cloudflare, for free. We’ll do all the heavy lifting by signing your zone and managing the keys. Protecting your domain from DNS forgeries is just a few clicks away. All you need to do is enable DNSSEC in your Cloudflare dashboard and add one DNS record to your registrar.
Once your registrar publishes the DS record, your domain will be DNSSEC-enabled. You can verify your DNSSEC configuration with the third-party DNSViz tool.
Universal DNSSEC is designed to work seamlessly with all other Cloudflare security and performance features, including Universal SSL, a global CDN, and automatic web content optimization.
Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.
Everyone’s Internet application can benefit from using Cloudflare.Pick a plan that fits your needs.
for personal websites and blogs
Our mission is to build a better Internet. We believe every website should have free access to foundational security and performance. Cloudflare's Free plan has no limit on the amount of bandwidth your visitors use or websites you add.
If you want to make your site even faster and more resilient, you can easily upgrade to one of our higher tier plans.
Learn More
Over 25 million Internet properties
To provide you with the best possible experience on our website, we may use cookies, as described here.By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.