"We have been using DNSBOX for the last 4 years and it has always been reliable. We are happy with the product"
Udhaya Moorthi, Kal Cables Pvt Ltd, India
"I haven't had a single issue with DNSBOX. I especially appreciate the security features provided by the role separation of Master and Slave units."
Jojo Dela Plana, SURE South Atlantic Ltd (C&W Diego Garcia), Maldives
"The DNSBOXes are performing well and support is very reactive and helpful"
Thierry Prudat, Tineo (Ex Quickline Business AG), Switzerland
"DNSBOX’s in-built monitoring system shows physical device health and gives a clear picture of logical resources utilization."
Samson Oduor, Access Kenya, Kenya
"The management of DNS is very easy via the user friendly GUI. All you need is a basic knowledge of DNS and how it works"
Moataz Sabri, Topnet Internet Services, Saudi Arabia

Protect Against Cache Poisoning with DNSSEC

ISPs, particularly those with a large business customer-base can gain competitive advantage by addressing their customers increasing concerns with online security. They are certainly at a disadvantage by not addressing them!

DNSSEC protects against Man in the Middle and cache poisoning attacks, which can result in your customers being misdirected to malicious websites and/or disrupt their services that rely on DNS such as email and VOIP. Business customers are particularly concerned about the threat of data loss and may pay a premium for improved security.

DNSSEC-Screenshot-smDNSSEC uses strong public key cryptography to sign DNS data which can then be validated by a requesting server. The root DNS zone and a growing number of Top Level Domains now sign their DNS records using DNSSEC, which creates a ‘chain of trust’ to validate answers down to an individual record. Many ISPs and public DNS services, like Google DNS, can also now carry out this validation process and some governments have required their public sector agencies to implement DNSSEC – for example in the USA.

But… implementing and managing DNSSEC can be complicated, costly and time-consuming:

  • All your zones need to be signed for DNSSEC to be effective – a big task for large networks
  • DNSSEC keys need to be stored securely so that they cannot be changed maliciously
  • Keys also need to be periodically updated – known as ‘key rollover’.
  • Additional DNSSEC steps in DNS resolution may introduce unwanted latency

Automate DNSSEC Key Rollover

Key rollover is particularly complex and requires very careful administration. If you get key rollover wrong, keys which are no longer valid remain cached in other DNS servers around the world or are not synchronised with your own upstream servers. In such cases, clients using DNSSEC would be unable to resolve your records.

To avoid this, you need to manage at least two sets of two types of key – a Zone Signing Key (ZSK) and a Key Signing Key (KSK), one of each live and one marked as in ‘rollover state’ – for each zone. The rollover keys need to exist for 2x their Time to Live value. With lots to know and manage, manual key rollover is incredibly error-prone.

You need a solution that, like DNSBOX:

  • Automates DNSSEC key management and rollover
  • Automates zone signing for rapid implementation
  • Makes it easy to store DNSSEC keys securely
  • Uses a high performance resolver to mitigate the extra latency of DNSSEC requests

Next: Microsoft Integration >

Because DNSBOX is versatile and scalable, our customers around the world come in all shapes and sizes. ISPs, enterprises, government agencies and even internet registers simplify, control and protect their DDI services with DNSBOX.

How can we make your visit easier?


Give us a few details about your requirement and we'll make your life easier by serving the most relevant information.
I work in a...
I prefer to read...
GO