Do I want to use ESC and DNSSEC on DNS?

MacBH928

macrumors 601
Original poster
May 17, 2008
4,078
1,485
I am not sure what those are but I noticed some DNS providers gives the option to use them. I think ESC gives you the closest server to your location and DNSSEC validates the domain name is correct and not a scam. The question is, is it better to use them or not?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,917
1,614
I think you mean ECS, which is a method for sending partial IP address information in your DNS request to assist CDNs in directing you to the closest caching server. I don't have much of an opinion on that. try it and see if it makes a difference. I doubt it will be very noticeable; CDNs are already pretty good at directing you to a nearby caching server.

To understand DNSSEC, it is necessary to look at the history of DNS. DNS was drafted in 1983. Nobody thought at the time that the internet would eventually be a hostile place, and so DNS was designed with basically no security whatsoever. DNS queries lack confidentiality; anyone on the network can see exactly what domain your computer is requesting. They also lack integrity; a 3rd party on the network can silently modify the DNS record you receive to direct you to a different IP.

DNSSEC addresses the integrity of the DNS response, while doing nothing to fix the lack of confidentiality. Put very simply, the DNS record is cryptographically signed, and the digital signature along with the public key is stored in the DNS record. This means that if an attacker sitting in between you and the DNS server modifies the server's response, the signature check will fail and you will know about it.

In practice, DNSSEC buys you little. Of the top 1 million Alexa ranked websites, only about 15,000 offer DNSSEC signed records, so most of the time, you probably won't even be using it. Of those 15,000 or so, many are signed using outdated cryptography, which may be vulnerable to forgery by well funded attackers. As stated earlier, it also does not offer any confidentiality, so attackers can still see which sites you are visiting by watching your DNS queries.

There are newer and better approaches to DNS's gaping security holes. There's DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), DNSCurve, and DNSCrypt, all of which I would choose over DNSSEC if greater security is desired (and it should be; DNS is a major attack vector). If none of those are options, then sure, enable DNSSEC. It won't hurt and it will offer better security than nothing, but it sounds better than it is.
 

MacBH928

macrumors 601
Original poster
May 17, 2008
4,078
1,485
I think you mean ECS, which is a method for sending partial IP address information in your DNS request to assist CDNs in directing you to the closest caching server. I don't have much of an opinion on that. try it and see if it makes a difference. I doubt it will be very noticeable; CDNs are already pretty good at directing you to a nearby caching server.

To understand DNSSEC, it is necessary to look at the history of DNS. DNS was drafted in 1983. Nobody thought at the time that the internet would eventually be a hostile place, and so DNS was designed with basically no security whatsoever. DNS queries lack confidentiality; anyone on the network can see exactly what domain your computer is requesting. They also lack integrity; a 3rd party on the network can silently modify the DNS record you receive to direct you to a different IP.

DNSSEC addresses the integrity of the DNS response, while doing nothing to fix the lack of confidentiality. Put very simply, the DNS record is cryptographically signed, and the digital signature along with the public key is stored in the DNS record. This means that if an attacker sitting in between you and the DNS server modifies the server's response, the signature check will fail and you will know about it.

In practice, DNSSEC buys you little. Of the top 1 million Alexa ranked websites, only about 15,000 offer DNSSEC signed records, so most of the time, you probably won't even be using it. Of those 15,000 or so, many are signed using outdated cryptography, which may be vulnerable to forgery by well funded attackers. As stated earlier, it also does not offer any confidentiality, so attackers can still see which sites you are visiting by watching your DNS queries.

There are newer and better approaches to DNS's gaping security holes. There's DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), DNSCurve, and DNSCrypt, all of which I would choose over DNSSEC if greater security is desired (and it should be; DNS is a major attack vector). If none of those are options, then sure, enable DNSSEC. It won't hurt and it will offer better security than nothing, but it sounds better than it is.
Thanks. Indeed I meant ECS. Is DoT or DoH better than the other?
 

chrisgeleven

macrumors 6502
Apr 28, 2002
466
41
Manchester, NH
I am not sure what those are but I noticed some DNS providers gives the option to use them. I think ESC gives you the closest server to your location and DNSSEC validates the domain name is correct and not a scam. The question is, is it better to use them or not?
ECS is really only useful for ISP or Public DNS resolvers that have a lot of clients from a wide variety of IP prefixes using them. That way CDNs can see the originating IP prefix (such as a /24) for a query and return an appropriate/optimized DNS response.

ECS is not necessary if you're operating your own DNS resolver on your network. Authoritative DNS servers will see the DNS query originating from your IP address and just use that for things like CDN geolocation. ECS adds nothing in this case. Likewise, if you are using an upstream resolver such as Google Public DNS, there is no need to add ECS as they will do it for you.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.