CloudFlare Enables Universal DNSSEC for Its Millions of Customers for Free

Already the world’s largest managed DNS provider, CloudFlare is now the Internet’s most secure

November 10, 2015

4 Min Read


SAN FRANCISCO, November 10, 2015CloudFlare, the leading Internet performance and security company, today launched Universal DNSSEC to protect any Internet property from DNS poisoning attacks.

If DNS is the phone book of the Internet, DNSSEC is the Internet’s unspoofable caller ID. It guarantees a website’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “man-in-the-middle” attacker. These attacks usually go unnoticed by sites’ visitors, increasing the risk of phishing, malware infections, and personal data leakage.

“CloudFlare runs the largest managed DNS infrastructure on the Internet. Over the last year, we've seen the number of DNS poisoning attacks increase dramatically,” explained Matthew Prince, co-founder and CEO of CloudFlare. “By providing DNSSEC to all our customers at no cost, we thwart these attacks and ensure our customers can trust the fidelity of their DNS.”

DNSSEC is a set of security extensions that ensure the integrity of DNS by cryptographically guaranteeing DNS records have not been altered in transit. Now CloudFlare makes DNSSEC easy and accessible to anyone, regardless of budget or technical know-how. Web properties using Universal DNSSEC, and their visitors, are shielded from one of the Internet’s oldest and most difficult to detect vulnerabilities.

CloudFlare has 42 percent market share among managed DNS providers for the Internet’s million largest sites. That scale has meant that since opening the DNSSEC public beta just three weeks ago, CloudFlare has already protected 150 million site visitors and 21 billion web requests with secured DNS records.  “CloudFlare has demonstrated that there’s no reason why anyone shouldn’t provide DNSSEC by default,” said Dr. Steve Crocker, chairman of the board of ICANN, the nonprofit organization that helps coordinate the top-level of the DNS and other unique identifiers. “After many years of promoting DNSSEC deployment, I’m pleased to see this major undertaking come to fruition.”

“CloudFlare is building the foundation for future services that can only be built atop a cryptographically secure DNS infrastructure,” said Ólafur Guðmundsson, the engineering lead behind CloudFlare’s DNSSEC project. “Today’s announcement is just the first step in securing DNS for all our customers. Going forward we’re working to make it so all our customers automatically get the benefits of DNSSEC by default without having to take any action beyond signing up for CloudFlare.”

While CloudFlare has made the process of getting DNSSEC records easy and free, current protocols still require customers manually copy records to their domain’s registrar. CloudFlare is working with registrars, registries, and industry organizations to develop a new protocol for DNS providers to be able to automatically propagate DNSSEC records on behalf of their customers. CloudFlare has partnered with the registries for .CA and .CL top level domains (TLDs) for a large scale demonstration of the new protocol in the coming months. CloudFlare customers with domains under one of these partner TLDs will get automatically enabled DNSSEC by default — no record copying required.

According to Dan Kaminsky, security expert and chief scientist, and co-founder of White Ops: “DNS is the foundation of trust on the Internet.  It's how and why systems across the globe can find one another.  For too long this layer of the Internet has been insufficiently protected; CloudFlare is doing here what they do with the rest of the web and making DNS security scale."

“The world of cryptography has created brilliant protocols; however, they are often under-adopted because they are difficult to implement,” Prince said. “We’re excited to be working with the most innovative registries and registrars to ensure that DNSSEC can have a great user experience and ‘just work’ by default. Together, we have the opportunity build a more secure foundation for the Internet itself.”

Universal DNSSEC is currently available to all CloudFlare customers and hosting partners at no additional cost. To learn more about Universal DNSSEC, please check out the additional resources below:


·         Universal DNSSEC

·         Montecito Bank Case Study

·         How DNSSEC Works

·         Announcing Universal DNSSEC (Blog)


About CloudFlare

CloudFlare, Inc. ( / @cloudflare) makes any Internet application lightning fast, protects them from attacks, ensures they are always online, and makes it simple to add web apps with a single click. Regardless of size or platform, CloudFlare supercharges Internet applications with no need to add hardware, install software, or change a line of code. The CloudFlare community gets stronger as it grows: every new site makes the network smarter. More than 5 percent of global Internet requests flow through CloudFlare's network; every month more than 2 billion people experience a faster, safer, better Internet. CloudFlare was recognized by the World Economic Forum as a Technology Pioneer, named the Most Innovative Network & Internet Technology Company for two years running by the Wall Street Journal, and ranked among the world's 50 most innovative companies by Fast Company. CloudFlare has offices in San Francisco, Washington DC, London and Singapore.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights