DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Continue reading

1. Hack Tools
2. Hacking Tools Software
3. Hacking Tools And Software
4. Hacker Search Tools
5. Hacker Tools Apk Download
6. Hacker Tools For Windows
7. Easy Hack Tools
8. Pentest Tools Kali Linux
9. Hacking Tools For Windows Free Download
10. Pentest Tools Windows
11. Bluetooth Hacking Tools Kali
12. Hacker Tools Mac
13. Hack Tools Online
14. Hacking Tools For Windows 7
15. Pentest Tools Windows
16. Hacker Hardware Tools
17. Hacking Tools Name
18. Tools 4 Hack
19. Hack Tools For Games
20. Hacker Tools For Mac
21. Hacker Tools Software
22. Pentest Tools Website
23. Hacking Tools Software
24. Hacker Tools Software
25. Hacker Tools 2019
26. Hacker Tools For Windows
27. Usb Pentest Tools
28. Pentest Tools Tcp Port Scanner
29. Hack Tools For Games
30. Hack Tools For Pc
31. Pentest Tools Android
32. Pentest Tools Subdomain
33. Usb Pentest Tools
34. Hacking Tools Download
35. Pentest Tools For Mac
36. Hacking Tools 2020
37. Hacker Tools For Pc
38. Pentest Tools Review
39. Pentest Tools Linux
40. Hacking Tools And Software
41. Hacking Tools Download
42. Pentest Tools Find Subdomains
43. Hacker Tools Linux
44. Pentest Tools
45. Pentest Tools Free
46. Pentest Tools Review
47. Hacker Tools Linux
48. Pentest Tools List
49. Pentest Tools For Android
50. Pentest Tools Open Source
51. Hak5 Tools
52. How To Hack
53. Hacker Tools Github
54. Hacker Tools Github
55. Hack Tools Download
56. Hacking App
57. Hacker Tools 2019
58. Pentest Tools Port Scanner
59. Hacker Tools Hardware
60. Hacking Apps
61. Pentest Tools Kali Linux
62. Hacker Tools Windows
63. Pentest Tools Free
64. Black Hat Hacker Tools
65. Hacker Security Tools
66. Computer Hacker
67. Pentest Tools Online
68. Pentest Tools Tcp Port Scanner
69. Hacking Tools Hardware
70. New Hacker Tools
71. Pentest Tools Open Source
72. What Are Hacking Tools
73. Hacking Tools Name
74. Pentest Tools Open Source
75. Pentest Tools Subdomain