DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Continue reading

1. Pentest Tools Free
2. Blackhat Hacker Tools
3. Hacking Tools And Software
4. Kik Hack Tools
5. Hacker Tools For Windows
6. Github Hacking Tools
7. Hacker Tools Hardware
8. Hacking Tools Kit
9. Hacker Tools Free Download
10. Hack Tools For Pc
11. Pentest Tools Review
12. Hacking Tools Name
13. Hacker Tools For Windows
14. Termux Hacking Tools 2019
15. Hacking Tools For Windows 7
16. Hackrf Tools
17. Growth Hacker Tools
18. Usb Pentest Tools
19. Ethical Hacker Tools
20. Hack Tools For Windows
21. Blackhat Hacker Tools
22. Hacking Tools 2020
23. Pentest Tools Subdomain
24. Hacker Hardware Tools
25. Hacking Tools Windows 10
26. Pentest Tools Open Source
27. Install Pentest Tools Ubuntu
28. Hackers Toolbox
29. Hacker Tools Apk Download
30. Hackrf Tools
31. Hacking Tools Mac
32. Hacking Tools 2019
33. Hacker Tools For Windows
34. Hacker Tools Apk Download
35. Best Hacking Tools 2019
36. What Is Hacking Tools
37. Hacker Tools Free
38. Hacking Tools Pc
39. New Hack Tools
40. Pentest Tools Subdomain
41. Github Hacking Tools
42. Game Hacking
43. Hacking Tools Software
44. Hack Tools For Pc
45. Hacker Tools Mac
46. Hacker Tool Kit
47. Nsa Hack Tools Download
48. Hack Tools Online
49. Pentest Tools For Windows
50. Hacking Tools Pc
51. Hack Website Online Tool
52. Hacks And Tools
53. Computer Hacker
54. Nsa Hacker Tools
55. Hacking Tools And Software
56. Hacker Tools Software
57. Hacking Tools For Windows Free Download
58. Pentest Tools Linux
59. Hacking Tools For Windows
60. Hack Tools 2019
61. What Is Hacking Tools
62. Pentest Tools Apk
63. Hack Tool Apk No Root
64. Hacking Tools For Mac
65. Hacking Apps
66. Hack Rom Tools
67. Pentest Tools Website
68. Pentest Box Tools Download
69. Hacker Tools Windows
70. Pentest Tools Find Subdomains
71. How To Hack
72. Hack Tools For Ubuntu
73. Hacking Tools Usb
74. Beginner Hacker Tools
75. Hacker Tools For Windows
76. Pentest Tools For Windows
77. Pentest Tools Nmap
78. New Hacker Tools
79. Hacks And Tools
80. Hack Tools For Games
81. Pentest Tools Subdomain
82. Hack Tools
83. Beginner Hacker Tools
84. Pentest Tools Alternative
85. Hack And Tools
86. Underground Hacker Sites
87. How To Install Pentest Tools In Ubuntu
88. Pentest Tools For Ubuntu
89. Hacker Tools For Windows
90. New Hacker Tools
91. Pentest Tools List
92. Blackhat Hacker Tools
93. Nsa Hacker Tools
94. Tools Used For Hacking
95. Best Pentesting Tools 2018
96. Pentest Box Tools Download
97. Usb Pentest Tools
98. How To Hack
99. Hacking Tools Hardware
100. Hacker Tools Software
101. Best Hacking Tools 2019
102. Pentest Tools Android
103. Hack Tools For Pc
104. Pentest Automation Tools
105. Hacking Tools
106. Growth Hacker Tools
107. Pentest Tools Find Subdomains
108. Install Pentest Tools Ubuntu
109. Blackhat Hacker Tools
110. What Is Hacking Tools
111. Pentest Tools Url Fuzzer
112. How To Hack
113. Nsa Hacker Tools
114. Kik Hack Tools
115. Hacking Tools Hardware
116. Wifi Hacker Tools For Windows
117. Hack Website Online Tool
118. Hak5 Tools
119. Hack Tools Mac