Cristhian Becerra

Posted on Oct 23

Secure Your Domain with DNSSEC in Amazon Route 53: A Step-by-Step Guide

#english #aws #networking #dns

TL;DR: This article will guide you through implementing DNSSEC for your domains in Amazon Route 53. I’ll show step by step how to enable DNSSEC in your hosted zone in Route 53 and how to establish the chain of trust between the Domain Registrar (Namecheap) and the Authoritative DNS Providers (Cloudflare and Amazon Route 53), all aligned with the Security pillar of the AWS Well-Architected Framework. 🔐

Estimated reading time: 10 minutes
Level: 200
Spanish version: Protege tu dominio con DNSSEC en Amazon Route 53: Guía paso a paso

Introduction

As we all know, as technology advances, the number of threats and malicious actors increases exponentially, making cybersecurity an ever-growing priority.

The Domain Name System (DNS) is a fundamental part of the web’s infrastructure; however, its original design lacks robust security mechanisms. In other words, DNS by itself is not secure — it’s vulnerable to attacks such as DNS Spoofing or DNS Cache Poisoning, in which malicious actors poison the cache of DNS servers to manipulate records and name resolution to their advantage, redirecting users to malicious websites. 😯

This is where DNSSEC comes in — an extension of the DNS protocol that protects the integrity and authenticity of the information transmitted during a DNS query, thereby preventing the aforementioned attacks. And you know what’s best? It’s actually very easy to implement! 🤩

In this article, we’ll explain what DNSSEC is, how it works, what its benefits are, and how to implement it to protect your domains in Amazon Route 53.

What is DNSSEC

DNSSEC (Domain Name System Security Extensions) is a set of security extensions for the DNS protocol that allows verification that DNS responses come from an authenticated source and have not been altered during transmission. Its main goal is to prevent threats such as DNS Spoofing, DNS Cache Poisoning, and man-in-the-middle attacks, which can compromise user security by allowing attackers to intercept or modify data in transit to manipulate the information received by users and redirect them to fake websites. 🫤

When DNSSEC is enabled, each response to a DNS query includes a digital signature based on public key cryptography, and this signature can be verified by the DNS resolver to confirm the authenticity and integrity of the returned information. 😌

In short, DNSSEC helps ensure that users reach the legitimate website they are looking for, not a fraudulent one. While DNSSEC does not protect the privacy of DNS queries through encryption — since that function belongs to protocols such as TLS (Transport Layer Security) — it does prevent malicious actors from injecting tampered responses into DNS queries during the name resolution process.

So far, everything sounds great — but you might be wondering: how does DNSSEC actually work behind the scenes? 🤔

How DNSSEC Works

DNSSEC adds an additional layer of security through cryptographic validation to the DNS name resolution process. The operation of DNSSEC is based on several components that work together to establish a chain of trust, including:

DNSKEY Records: store the public keys used to verify the digital signatures of DNS records. Within these records, there are two types of keys:
- ZSK (Zone Signing Key): used to sign records within the DNS zone (e.g., A, MX, TXT, etc.).
- KSK (Key Signing Key): used exclusively to sign the ZSK, and its public key is published in the DS record in the parent zone.
RRSIG Records: contain the digital signature for each set of DNS records.
DS Record: links the domain’s public key with its parent zone, thus establishing the chain of trust.

During the resolution of a domain name, when a user tries to access a website, the recursive resolver queries the DNS records and verifies the digital signature using the corresponding public key. If the signature is valid, the response is considered trustworthy and accepted. Otherwise, it is assumed that the information may have been tampered with and is therefore considered unsafe, blocking access. ⛔

Why Implement DNSSEC

As I mentioned earlier, DNS by itself is not secure, and by default, we are exposed to attacks such as DNS Spoofing or DNS Cache Poisoning. However, these risks can be easily mitigated by configuring DNSSEC on our domains.

Implementing DNSSEC offers several important benefits:

Protection against tampering: prevents attackers from modifying or forging DNS responses during transmission.
Higher level of trust: by verifying the authenticity of information, users can be confident they are accessing the correct site.
Defense against cache poisoning and malicious redirections.
Improved reputation for your brand or project: demonstrating a commitment to security is a key factor in improving user perception and experience.

In an increasingly technology-dependent environment, protecting the integrity of DNS communications is a priority for everyone. That’s why it’s important to understand how to implement DNSSEC. Moreover, once I show you how simple it is to do, you’ll probably make its implementation a standard practice across all your domains. 🙌🏻

What You Are Going to Implement

This guide assumes that you already have a Hosted Zone in Route 53 correctly configured for your domain. What we will do is implement DNSSEC on this Hosted Zone and throughout the entire chain of trust.

In my case, I have the following components:

Domain Name Registrar: Namecheap
Authoritative DNS Provider: Cloudflare
Managed DNS Service: Amazon Route 53
Delegated DNS Zone: Amazon Route 53 Hosted Zone

Within the Amazon Route 53 console, we will enable DNSSEC Signing for the Hosted Zone and establish a chain of trust between Amazon Route 53 and Cloudflare, and then between Cloudflare and Namecheap.

It is worth mentioning that, depending on your particular use case, you may not be using Cloudflare as the Authoritative DNS Provider as in my case, and you might be using Amazon Route 53 directly. You could even use Amazon Route 53 as the Domain Name Registrar as well, which would imply a much shorter and simpler chain of trust when implementing DNSSEC, but this guide assumes that your Domain Name Registrar is not Route 53.

Prerequisites

For this DNSSEC implementation, the following prerequisites are required:

Access to an AWS account.
Administrative access to the Domain Name Registrar (e.g., Namecheap) and ownership of the domain.
Administrative access to the Authoritative DNS Provider (Cloudflare or Amazon Route 53).
Administrative access to any secondary or delegated Authoritative DNS Provider within the chain of trust.
A properly configured and/or delegated Hosted Zone in Amazon Route 53.
IAM permissions in the AWS account to use Amazon Route 53 and AWS Key Management Service (KMS).

Implementation Steps

The following sections provide a step-by-step guide for DNSSEC configuration, showing how each component—Amazon Route 53, Cloudflare, and Namecheap—integrates to establish your domain’s chain of trust. First, I will implement trust between Amazon Route 53 and Cloudflare, and then between Cloudflare and Namecheap.

Configure DNSSEC in Amazon Route 53

1. Log in to the Amazon Route 53 console.

2. In the list of Hosted Zones, select the hosted zone where you want to implement DNSSEC.

3. Within the hosted zone, select the DNSSEC signing tab.

4. In the DNSSEC signing section, click the Enable DNSSEC Signing button.

5. Specify a name for the Key-signing key (KSK), for example: my_domain_ksk.

6. Select an existing Customer managed key (CMK) or create a new one.

In this example, a new CMK will be created. Enter the desired name for the key, for example: dnssec_cmk.

7. Click Create KSK and enable signing.

You will see the message "Enabling DNSSEC signing for the hosted zone" — this process may take a few minutes.

Once the message "DNSSEC signing was successfully enabled for the hosted zone" appears, you can verify in the DNSSEC Signing tab that DNSSEC is in Signing status, and that the new Key-signing key (KSK) is active.

8. In the DNSSEC Signing section, click the View information to create DS Record button.

9. In the Establish a chain of trust section, locate the Another domain registrar area (if applicable) and review the values for Domain name, Key tag, Signing algorithm type, Digest algorithm type, Digest, and DS record.

Configure DNSSEC in Cloudflare

1. In Cloudflare, open the Records list for the corresponding domain and select Add record.

2. Select the record type DS.

In the Name field, enter the necessary subdomain to complete the Domain name, or use @ for the root domain.
Fill in the corresponding values for Key tag, Signing algorithm type, Digest algorithm type, and Digest, using the information obtained from Route 53.

3. Save the record.

The content of the DS record must be identical to the DS Record value generated in Route 53.

This completes the trust between Amazon Route 53 and Cloudflare.
Next, we will establish trust between Cloudflare and Namecheap.

4. In Cloudflare, open the DNS Settings for the corresponding domain and select Enable DNSSEC.

5. In the How to enable DNSSEC tab, review the values for DS record, Digest, Digest type, Algorithm, and Key tag.

6. Click Confirm to enable DNSSEC.

Configure DNSSEC in Namecheap

1. In Namecheap, select the corresponding domain and go to the Advanced DNS tab.

2. In the DNSSEC section, enable the option next to the Status field to activate DNSSEC.

3. Complete the DS record with the values for Key tag, Algorithm, Digest Type, and Digest obtained from Cloudflare, and save the changes.

The content of the DS record must match the DS Record value from Cloudflare.

4. In Cloudflare, when reviewing the DNS Settings of the domain again, you should see the message: "Success! Your domain is protected with DNSSEC".

This completes the trust between Cloudflare and Namecheap. At this point, the entire chain of trust required to configure DNSSEC on your Amazon Route 53 Hosted Zone has been successfully established.

Validate the DNSSEC Implementation

As a final step, it is important to verify that the DNSSEC configuration is fully functional. For this, you can use online tools such as:

These tools allow you to enter your domain and check if DNSSEC is properly enabled and configured throughout the chain of trust.

Below, I am sharing a DNSSEC Analyzer report with a successful result, demonstrating a correct DNSSEC configuration from Namecheap, through Cloudflare, to Amazon Route 53.

Implementation Cost

The implementation of DNSSEC by Amazon Route 53 has no cost, and since you already owned the domain, the only associated expense would be for the Customer Managed Key (CMK) used to generate the Key Signing Key (KSK). 💲

So you will only be charged for the use of AWS KMS according to how you use the keys required for DNSSEC signing of your hosted zones.

It is important to mention that a CMK can be reused for signing multiple domains, which helps optimize costs.

For more information and specific pricing details, check the AWS Key Management Service pricing page, available in the official resources section at the end.

Lessons Learned

Although the solution is straightforward to implement and low-cost on the AWS bill, you should consider the possible operational complexity in environments where a domain uses multiple DNS providers, as keeping keys and DS records synchronized can become a complex process and, therefore, prone to errors. 🧐

In other words, DNSSEC carries an operational cost that is not necessarily inexpensive, as it involves ongoing maintenance and responsibility, key rotation, periodic verification, and the possible update of automations or CI/CD scripts related to DNS infrastructure.

On the other hand, it is important to remember that DNSSEC guarantees authenticity and integrity, but does not protect against all types of attacks. Threats such as DNS data exfiltration or user privacy require using protocols like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).

Finally, in my experience, a common occurrence is that even after correctly configuring the entire chain of trust to implement DNSSEC, the DNSSEC Analyzer may still show errors. This can happen because some records have not yet fully propagated, a process that can take several hours.
To verify, access dns.google and check your domain’s DS record. Review the response data and confirm it matches the Route 53 DS record; if it does not match, propagation is still incomplete. ⌛

Conclusion

In a simple and low-cost manner—although still considering potential operational costs—the implementation of DNSSEC strengthens web infrastructure by providing a more secure and reliable domain name system, significantly reducing the risk of unauthorized attacks or modifications to DNS query responses during transmission. 🥳

What’s Next

In the next section, you’ll find official resources and documentation for the services mentioned, along with some points of interest related to the topics covered — in case you want to keep learning or dive deeper to evaluate whether they truly apply to your use case.

I also invite you to try this implementation in your own AWS account. Remember that if you do not yet have your own domain, you can purchase one from Namecheap, since buying a Domain Name there is, well… cheap haha. Share in the comments what you thought of this guide or if you discovered something interesting during your implementation. ✍🏻

DEV Community