DANE

DNS-based Authentication of Named Entities (DANE) for SMTP addresses allows for a more secure method of mail transport. DANE allows SMTP servers to establish encrypted TLS connections without the disadvantages of STARTTLS.  DANE is used to ensure reliable encryption for email transport. For this to work as intended, DANE uses the secure version of the Domain Name System (DNSSEC) for retrieving information that is published by a domain name’s owner or administrator. As a result, this information enables SMTP servers to determine up front whether or not another SMTP server supports an encrypted connection while also providing the means of validating the authenticity of the other mail server’s certificate. Confidentiality of email is available to the masses.

Resources

Here are some good resources to help you learn more about DANE:

To learn more about DANE and other email security protocols, check out the resource page from our DMARC Bootcamp – five weeks of free online technical training focused on what DMARC is and how to implement it, including the basics of SPF and DKIM and options of performing DKIM key generation and signing, as well as other email security protocols to better protect your organization. All sessions are recorded and available for anyone to view.

What Does DANE Protect Against

The Domain Name System (DNS) is a protocol used to translate an IP address to a name, similar to a phone book. It is easier to remember a domain name rather than the IP address of the server hosting a site or to which mail server to send an email. DNS is a vital part of communication over the Internet. However, just like many other protocols, DNS was not designed with security in mind.  

DNS Hijacking

One security issue is DNS hijacking attacks.  A DNS query is a request sent to a DNS server asking the IP address of a domain. This is how most communication on the Internet starts. Once the answer to the request is received, the requesting system can communicate directly with that domain. However, there is a possibility that the request can be redirected by a malicious actor to a rogue DNS server, thus leading to the requesting system accessing the malicious site.  

DNS Cache Poisoning

Another type of attack is called DNS cache poisoning, also known as DNS spoofing. This type of attack exploits vulnerabilities in the DNS to reroute Internet traffic away from legitimate servers towards fake servers. A DNS server can become poisoned if it contains an incorrect entry. If an attacker gets control of a DNS server they could change the information that shows to which IP address a website would point. For example, the attacker could change google.com from the legitimate domain to one containing a malicious phishing website.