Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable DNSSEC for Google Cloud DNS Zones

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudDNS-001

Ensure that DNSSEC security feature is enabled for all your Google Cloud DNS managed zones in order to protect your domains against spoofing and cache poisoning attacks. By default, DNSSEC is not enabled for Google Cloud public DNS managed zones.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Domain Name System Security Extensions (DNSSEC) represents a set of protocols that adds a layer of security to the Domain Name System (DNS) lookup and exchange processes by enabling DNS responses to be validated. Having a trustworthy Domain Name System (DNS) that translates a domain name into its associated IP address is extremely important for web security nowadays. Attackers can hijack the process of domain/IP lookup and redirect users to malicious web content through DNS hijacking and Man-In-The-Middle (MITM) attacks. DNSSEC security feature helps mitigate the risk of such attacks by encrypting signing DNS records. As a result, it prevents attackers from issuing fake DNS responses that may misdirect web clients to fake, fraudulent or scam websites.

Audit

To determine if DNSSEC is enabled for all your Domain Name System (DNS) managed zones, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud DNS dashboard at https://console.cloud.google.com/net-services/dns.

04 Select the Zones tab to access the list of DNS managed zones created for the selected project.

05 On the Zones panel, click inside the Filter by zone name, DNS name or description box, select Type and public, then press Enter. This filtering process will return only the public DNS managed zones available for the GCP project.

06 Choose the public DNS zone that you want to examine and check the configuration status available in the DNSSEC column. If the configuration status is set to Off, the Domain Name System Security Extensions (DNSSEC) feature is not enabled for the selected DNS managed zone.

07 Repeat step no. 6 for every public DNS zone deployed within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-web-project-123123
cc-backend-app-112233

03 Run dns managed-zones list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom filtering to describe the name and the visibility of each DNS managed zone created for the selected project: 

gcloud dns managed-zones list
  --project cc-web-project-123123
  --format="table(name,visibility)"

04 The command output should return the requested Google Cloud DNS zone metadata: 

NAME                        VISIBILITY
cloudconformity-dns-zone    public
cloudrealisation-dns-zone   public

05 Run dns managed-zones describe command (Windows/macOS/Linux) using the name of the public DNS managed zone that you want to examine as identifier parameter and custom query filters to describe the DNSSEC configuration status set for the selected DNS zone: 

gcloud dns managed-zones describe cloudconformity-dns-zone
  --format="json(dnssecConfig.state)"

06 The command output should return the requested configuration status: 

STATE
off

If the dns managed-zones describe command output returns off as the value of the STATE attribute, as shown in the example above, or the STATE configuration attribute does not have any value configured, the Domain Name System Security Extensions (DNSSEC) feature is not enabled for the selected DNS managed zone.

07 Repeat step no. 5 and 6 for every public DNS zone created within the selected Google Cloud Platform (GCP) project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the DNSSEC security feature for all your public Google Cloud DNS managed zones, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud DNS dashboard at https://console.cloud.google.com/net-services/dns.

04 Select the Zones tab to access the list of DNS managed zones created for the selected project.

05 On the Zones panel, click inside the Filter by zone name, DNS name or description box, select Type and public, then press Enter. This filtering process will return only the public DNS managed zones available for the GCP project.

06 Choose the public DNS zone that you want to reconfigure (see Audit section part I to identify the right DNS zone). In the Zone details section, select EDIT at the top of the screen.

07 Select On from the DNSSEC configuration dropdown list to enable the feature and click SAVE. DNSSEC signing is now enabled for the selected zone. Once the DNS zone is signed (typically within a few minutes) DNSSEC security can be fully activated by giving your domain registrar information from the Registrar Setup section on the Google Cloud DNS zone details page.

08 Repeat step no. 6 and 7 for every public DNS zone deployed within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run dns managed-zones update command (Windows/macOS/Linux) using the name of the public DNS managed zone that you want to reconfigure as identifier parameter (see Audit section part II to identify the right zone), to update the resource configuration and enable the DNSSEC security feature for the selected public DNS managed zone: 

gcloud dns managed-zones update cloudconformity-dns-zone
  --dnssec-state on

02 The command output should return the update process status for the selected DNS zone: 

Updating managed zone [cloudconformity-dns-zone]...done.

03 Repeat step no. 1 and 2 for every public DNS zone created within the selected Google Cloud Platform (GCP) project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 5, 2020

Related CloudDNS rules