DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Continue reading

1. Hacker Search Tools
2. Pentest Tools Online
3. Pentest Tools Kali Linux
4. Pentest Tools Subdomain
5. Hack Tool Apk
6. Hacker Tools For Mac
7. Hack Tools For Games
8. Pentest Tools Free
9. Hacker Techniques Tools And Incident Handling
10. Hack Tools Pc
11. Hacking Tools Free Download
12. Pentest Tools Kali Linux
13. Physical Pentest Tools
14. Hacker Search Tools
15. Install Pentest Tools Ubuntu
16. Pentest Tools Kali Linux
17. Computer Hacker
18. Best Hacking Tools 2019
19. Hack Tools For Pc
20. Install Pentest Tools Ubuntu
21. Pentest Tools Bluekeep
22. Pentest Tools Apk
23. Hacker Tool Kit
24. Pentest Tools Github
25. Hacker Tools For Pc
26. Hacker Tools For Mac
27. Pentest Tools Bluekeep
28. New Hack Tools
29. Hacking Tools Download
30. Hacking Tools Free Download
31. Hacking Tools 2020
32. Pentest Tools Tcp Port Scanner
33. Pentest Recon Tools
34. Nsa Hack Tools
35. Ethical Hacker Tools
36. Hack Tools Pc
37. Hacker Tools List
38. Hack Tool Apk No Root
39. Hack Tools Github
40. Ethical Hacker Tools
41. Pentest Tools Url Fuzzer
42. Black Hat Hacker Tools
43. Hacking Tools For Windows
44. Pentest Tools Nmap
45. Hacker Tools For Ios
46. Hacker Tools Linux
47. Hacking Tools Github
48. Pentest Tools For Ubuntu
49. Hacking Tools 2020
50. Tools Used For Hacking
51. Android Hack Tools Github
52. Hacking Tools Mac
53. Hack Tools For Windows
54. Hacker Tools Apk
55. Hack Tools Online
56. Hack Tools For Ubuntu
57. Pentest Tools Download
58. Hacking Tools Software
59. Ethical Hacker Tools
60. Nsa Hack Tools Download
61. Hack Tools
62. Pentest Tools Download
63. Pentest Tools Bluekeep
64. Hacking Tools For Games
65. Hacking Tools For Games