DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related articles

1. Pentest Tools Find Subdomains
2. Pentest Tools For Windows
3. Hacking Tools Windows 10
4. Computer Hacker
5. Hack Tools Online
6. Hacking Tools Windows 10
7. Hacker
8. Pentest Recon Tools
9. Hacking Tools
10. Usb Pentest Tools
11. Hacker Tools List
12. Hacker Tools Apk
13. Hacking Tools Windows
14. Hacking Tools Download
15. Hacker Tools Free
16. Pentest Tools Windows
17. Hack Tools Pc
18. Pentest Tools For Mac
19. Hacking App
20. Best Hacking Tools 2019
21. Pentest Tools Windows
22. Pentest Tools Open Source
23. Hacking Tools Windows
24. Hack Tools Pc
25. Hacker Tools Apk
26. Top Pentest Tools
27. Hacking Tools For Windows
28. Hacking Tools Github
29. Hacker Tools
30. Pentest Tools
31. Hacker
32. Hack Tools Pc
33. Hak5 Tools
34. Hack Tools Mac
35. How To Hack
36. Growth Hacker Tools
37. Nsa Hacker Tools
38. Hacker Tools Free
39. Hacker Tools Apk Download
40. Pentest Tools For Ubuntu
41. Underground Hacker Sites
42. Hacking Tools And Software
43. Nsa Hacker Tools
44. Pentest Tools Apk
45. Hacker Tools For Ios
46. Underground Hacker Sites
47. Pentest Reporting Tools
48. Hack Tools Github
49. Hacker Techniques Tools And Incident Handling
50. Hacking Tools Github
51. Hacking Tools Hardware
52. Usb Pentest Tools
53. Pentest Box Tools Download
54. Hacking Tools Github
55. Underground Hacker Sites
56. Hacking Tools Pc
57. How To Make Hacking Tools
58. Pentest Tools Windows
59. Hacking Tools Pc
60. Hacking Tools For Pc
61. Hack Rom Tools
62. Hacking App
63. Beginner Hacker Tools
64. Pentest Tools Windows
65. Hacking Tools And Software
66. Hack Tools Download
67. Hack Apps
68. Underground Hacker Sites
69. How To Hack
70. Top Pentest Tools
71. How To Make Hacking Tools
72. Hacker Tools Hardware
73. Hacker Tools Apk Download
74. Hackrf Tools
75. Pentest Tools Bluekeep
76. Pentest Tools Nmap
77. Pentest Tools Website Vulnerability
78. Hackrf Tools
79. Pentest Tools Port Scanner
80. Hacking Tools For Beginners
81. Hacking Tools Download
82. Beginner Hacker Tools
83. Nsa Hack Tools Download
84. Computer Hacker
85. Hacking Tools For Beginners
86. Growth Hacker Tools
87. Pentest Tools Kali Linux
88. Hacking Tools Kit
89. Pentest Tools Subdomain
90. Underground Hacker Sites
91. What Are Hacking Tools
92. Best Hacking Tools 2020
93. Hacking Tools
94. Pentest Box Tools Download
95. Pentest Reporting Tools
96. Pentest Tools Framework
97. Pentest Tools Subdomain
98. Hack And Tools
99. New Hacker Tools
100. Hacker Tools Hardware
101. Hackrf Tools
102. Hacking Tools Software
103. Hack Tools Mac
104. Hacking Tools And Software
105. Hack And Tools
106. Pentest Recon Tools
107. Pentest Tools Port Scanner
108. Blackhat Hacker Tools