Feature Briefs

Support for DNSSEC in Umbrella

Issue link: https://learn-umbrella.cisco.com/i/1202769

Contents of this Issue


Page 0 of 0

Feature Brief Cisco Umbrella How Umbrella will support DNSSEC Phase 1 - A security aware resolver Umbrella's first phase of support for DNSSEC will focus on performing validation on queries sent from our resolvers to upstream authorities, and thus performing the role of a security-aware recursive resolver. In order to mitigate issues with authoritative DNSSEC implementations, Cisco Umbrella will also implement negative trust anchors 2 , allowing us to override broken DNSSEC validations. Additionally, DNS clients will be able to make a DNS request specifically disabling DNSSEC validation as defined in RFC by setting the 'CD' (Checking Disabled) bit. Results from requests that fail validation will be cached separately and never given to a user who has not specifically disabled DNSSEC validation. Umbrella will also support the 'DO' bit in queries we receive. This will return the DNSSEC signing records in order to allow clients to investigate issues with DNSSEC validation. Phase 2 - Reporting and logging In a subsequent release, Umbrella plans to add additional visibility to the Dashboard and logging. This would include logging whether a query was validated using DNSSEC, reasons for validation failures, and information on when a Negative Trust Anchor (NTA) was used. Additionally, we plan on implementing support for Extended DNS Errors in order to provide information on the reasons for a validation failure in the DNS response itself. Support for DNSSEC in Cisco Umbrella What is DNSSEC? DNS Security Extensions, better known as DNSSEC, is "a technology that was developed to, among other things, protect against [cache poisoning] attacks by digitally 'signing' data so you can be assured [the DNS answer] is valid." 1 DNSSEC uses cryptographic signatures similar to using GPG to sign an email; it proves both the validity of the answer and the identity of the signer. Special records are published in the DNS, which allow recursive resolvers or clients to validate signatures. There is no central certificate authority — instead, parent zones provide certificate hash information in the delegation, which allows for proof of validity. Support for client-side validation Performing DNSSEC validation requires that the validating resolver maintain knowledge of the signatures of all parent domains for a given query. For this reason, clients of a recursive DNS resolver typically do not perform validation themselves, but rather rely on the recursive resolver to perform validation on their behalf. While we will support use of the 'DO' bit in queries, Umbrella does not recommend that local DNS servers forwarding to our resolvers enable DNSSEC validation themselves. Validation of traffic between clients and Cisco Umbrella For customers looking to verify that their queries have been served by Umbrella and have not been intercepted, we recommend the use of DNSCrypt to provide a cryptographically secure method of communication and proof of identity. Both the Umbrella Roaming Client and the Umbrella Virtual Appliance use DNSCrypt in their default configurations. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 1. https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en 2. https://tools.ietf.org/html/rfc7646 - Definition and Use of DNSSEC Negative Trust Anchors

Articles in this issue

Links on this page

view archives of Feature Briefs - Support for DNSSEC in Umbrella