Recent DDoS attack against Spamhaus and later CloudFlare showed everyone the vulnerability present in the DNS system. DNS servers are used to translate human readable domain names like trishtech.com to IP address like 184.108.40.206. Web browsers and other applications use these number based IP addresses to connect to websites. Anyone with proper skills can spoof the DNS resolution process and send you to a deceptive site instead of the original site. This is why a new technology called DNSSEC (DNS Security Extensions) has been developed. DNSSEC is to DNS what HTTPS is to HTTP. Unlike the regular DNS, DNSSEC digitally signs the root of the domain being resolved making it harder to hijack the DNS resolution process. While DNSSEC support is present in browsers like Google Chrome, you can add it to Mozilla Firefox using a free extension called DNSSEC Validator. Here is how:
The DNSSEC Validator validates the authenticity of the resolved domain names before Firefox makes an attempt to connect to that domain name. If there is a problem, then you are warned about it. Colorful visual warnings make it easy to recognize whether the page was loaded from the authentic server or whether the page could have been spoofed. You can download this extension from the Mozilla Firefox add-ons website. The extension installation requires you to restart your Firefox browser.
After the extension is installed in Firefox, you can just visit any website and an icon in your Firefox addressbar would show if the domain name could be validated using the DNSSEC Validator. If the key icon turns red color, then the domain name could not be validated and could have been spoofed. It does not mean that it is necessarily spoofed, but only that it is not secured with the DNSSEC technology and there is a possibility of a potential hacker to spoof it.
However, if the domain name resolution is authenticated, then you would see a green colored key in the address bar of Firefox. This means that you are connected to the correct domain name and there is no possibility of domain name beeing spoofed.
You have to keep in mind that not all DNS servers support DNSSEC, so you should switch to the ones that do support this technology. The Google public DNS servers support DNSSEC and you can you our free software Public DNS Server Tool to automatically change the DNS servers to Google Public DNS. Similarly, not all domain names use this DNSSEC technology and it works only on select few domain names like Verisign.com.
You can download DNSSEC Validator extension for Firefox from https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/.