Cloud DNS should have DNSSEC enabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
Cloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system
that powers millions of domains on the internet. Domain Name System Security Extensions
(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains
against DNS hijacking, man-in-the-middle attacks, and more.
Rationale
Domain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like www.example.com into its associated IP address is an increasingly important building block for modern web-based applications.
Attackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.
By default, DNSSEC is not enabled.
From the console
- Navigate to the Cloud DNS page.
- For each Type Public zone, set
DNSSEC to On.
From the command line
Use this command to enable DNSSEC for Cloud DNS Zone Name:
gcloud dns managed-zones update ZONE_NAME --dnssec-state on
References
- https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html
- https://cloud.google.com/dns/dnssec-config#enabling
- https://cloud.google.com/dns/dnssec
