DNS Security is based on Domain Name System Security Extensions (DNSSEC), which is a specification to add security to the Domain Name System (DNS). By the use the digital signatures, the DNS server can provide the DNS data integrity and origin authentication to the DNS clients. If you enable DNSSEC on Vigor Router, before asking for the address of a domain name, the router will perform iterative queries for DNSKEY and RRsig to validate the information provided by the DNS servers, thus to avoid receiving bogus DNS responses. To enable DNS Security on a WAN interface:
1. Go to Application >> DNS Security, select the WAN interface to which you would like DNSSEC to apply and click OK.
2. The router will check if the DNS server in use supports DNSSEC. This will take a few seconds. After that, if it shows a green lock icon before the DNS server IP, it means the DNS server does support DNSSEC. But if it shows a gray lock icon instead, it means the DNS server does not support DNSSEC. You may change the DNS server from WAN >> Internet Access >> Details Page.
3. Set the policy for a bogus DNS reply to 'Drop', so that the router will drop the DNS reply if it cannot verify the signature of it.
4. Note that if the domain name itself doesn't comply with DNSSEC, the router will not be able to verify the DNS query. You may check if a domain name supports DNSSEC or not via the Domain Diagnose tab.