Discuss this help topic in SecureBlackbox Forum

Use DNSSEC and custom DNS servers

SecureBlackbox includes its own, fast and secure, implementation of DNS/DNSSEC client. As of version 16 and later, all transport classes (SSL / TLS, FTP, HTTP, SMTP, POP3, IMAP, WebDAV, LDAP, SSH, SFTP, AS2, AS3, Cloud) use this internal DNS implementation instead of the default servers defined in the system. At the moment, the internal DNS client does not support resolution of DNS suffixes or names from the host files. Fully qualified domain names (FQDNs) or IP addresses should be provided to the DNS resolver. You can use the DNS property of the corresponding transport component to switch back to the system resolver by setting the TElDNSSettings.Enabled property to false.

DNSSEC protects your socket connection from being fooled by possible DNS cache poisoning and other malicious DNS activities. DNSSEC requires that the DNS record for the destination server contains a certified signature. It is a good idea to use FQDNs instead of partial names or TLS suffixes in this case, because the latter are hidden from the application. When a client connects to the server via TLS using a partial name, the certificate validator knows only the host name provided by the user (application). If the server presents the certificate issued with a different domain name (e.g., FQDN instead of a partial name), such certificate will not be accepted.

By default, DNS security is enabled. To disable DNSSEC, switch TElDNSSettings.UseSecurity to false.

Use the DNS property of the corresponding class (e.g., TElHTTPSClient.DNS) to configure DNS settings. You can add or remove custom server IPs to the TElDNSSettings.Servers property when using the internal DNS resolver.

You can handle the following events of a DNSSEC-enabled class:

  • OnKeyNeeded - This event is fired when a key is required to verify a signature. Provide the corresponding key record via the Key parameter.
  • OnKeyValidate - This event is fired when a key needs to be validated. Provide the validation result via the Valid parameter.

How To articles about socket-related questions

Discuss this help topic in SecureBlackbox Forum