How does DNSSEC prevent spoofing or hijacking?
DNSSEC anti-spoofing mechanism:
Attack scenario without DNSSEC:
Attacker intercepts DNS query
Returns forged response with malicious IP
Victim connects to attacker's server
No way to detect forgery
With DNSSEC:
Forged response lacks valid signature
Resolver checks signature against published key
Invalid signature = rejected response
Attack fails
What it prevents:
Cache poisoning attacks
Man-in-the-middle DNS manipulation
Rogue DNS server responses
Limitation: Only works if both sender and resolver support DNSSEC.
Counterfeit documents detected by missing or invalid official seals.
Was this answer helpful?
Thanks for your feedback!