DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Continue reading

1. Hack Website Online Tool
2. Pentest Tools Linux
3. Hacking Tools Usb
4. Bluetooth Hacking Tools Kali
5. Hacking Tools Online
6. Hacking Tools For Beginners
7. Hacking Tools For Games
8. Hack Tools For Windows
9. Hacker Tools Free
10. Hackers Toolbox
11. Pentest Tools Open Source
12. Pentest Tools For Mac
13. Hacker Tools 2019
14. Pentest Tools Website
15. Pentest Tools Website
16. Hacker Tools Free Download
17. Free Pentest Tools For Windows
18. Hack Tools For Pc
19. Pentest Tools Subdomain
20. Pentest Tools Url Fuzzer
21. Android Hack Tools Github
22. Pentest Tools Port Scanner
23. Hacking Tools For Beginners
24. Hacker Tool Kit
25. Pentest Automation Tools
26. Hacking Tools Windows 10
27. Hacking Tools Windows 10
28. Pentest Tools Website
29. Pentest Tools Github
30. Easy Hack Tools
31. Hacking Tools Github
32. Install Pentest Tools Ubuntu
33. Hacking Tools For Windows Free Download
34. Hacker Security Tools
35. Hacking Apps
36. Easy Hack Tools
37. Best Pentesting Tools 2018
38. Wifi Hacker Tools For Windows
39. Hackrf Tools
40. Hacking Tools Usb
41. Hacker Tools Hardware
42. Pentest Box Tools Download
43. Nsa Hacker Tools
44. Hacking Apps
45. Hak5 Tools
46. Pentest Reporting Tools
47. Pentest Tools Port Scanner
48. Physical Pentest Tools
49. Pentest Tools Online
50. Bluetooth Hacking Tools Kali
51. Pentest Tools Open Source
52. Kik Hack Tools
53. Free Pentest Tools For Windows
54. Hackrf Tools
55. Hack Tools For Windows
56. Hacking Tools For Windows 7
57. Hack Tool Apk
58. Beginner Hacker Tools
59. Hack And Tools
60. Hack Tool Apk
61. Hacking Tools Pc
62. Ethical Hacker Tools
63. Hacking Tools Pc
64. Pentest Tools Review
65. Pentest Tools Free
66. Hack Tools For Games
67. Physical Pentest Tools
68. Tools For Hacker
69. Hacking Tools Windows 10
70. Kik Hack Tools
71. Pentest Tools For Android
72. Game Hacking
73. Hacker Tools For Pc
74. Pentest Tools
75. Hack Apps
76. Hacker Tool Kit
77. Best Hacking Tools 2020
78. Pentest Tools
79. Game Hacking
80. Hacker Tools Free
81. Hackers Toolbox
82. What Is Hacking Tools
83. Free Pentest Tools For Windows
84. Hack Website Online Tool
85. Pentest Tools Linux
86. Pentest Tools Framework
87. Hacking Tools Free Download
88. New Hacker Tools
89. Hacks And Tools
90. Hack Tool Apk
91. Hack Tools For Ubuntu
92. Hacking Apps
93. Hack Website Online Tool
94. Hacker Tools Online
95. Hacking Tools Download
96. Top Pentest Tools
97. Pentest Tools Website
98. Hack Tools Download
99. Pentest Tools For Android
100. Black Hat Hacker Tools
101. What Is Hacking Tools
102. Hack Apps
103. Hacker Tools
104. Pentest Tools For Windows
105. Pentest Tools Github
106. Physical Pentest Tools
107. Android Hack Tools Github
108. Pentest Tools For Android
109. Computer Hacker
110. Hack Tool Apk
111. Blackhat Hacker Tools
112. Hak5 Tools
113. Pentest Tools Windows
114. Hack Tools Download
115. Usb Pentest Tools