DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Read more

1. Pentest Tools Subdomain
2. New Hacker Tools
3. Hacker Tools Mac
4. Hack Apps
5. Hacking Tools 2020
6. Free Pentest Tools For Windows
7. Hack Tools Download
8. World No 1 Hacker Software
9. Pentest Tools Website Vulnerability
10. Best Pentesting Tools 2018
11. Hacking Tools Usb
12. Hacking Tools Windows
13. Hacking Tools For Windows
14. Hacker Tools Free
15. Hacking Tools For Mac
16. Best Hacking Tools 2020
17. Hacking Tools Mac
18. Pentest Automation Tools
19. Pentest Tools Github
20. Hacking Tools
21. Hack Website Online Tool
22. Hack Tools
23. Pentest Reporting Tools
24. Hacker Tool Kit
25. Termux Hacking Tools 2019
26. Hak5 Tools
27. How To Hack
28. Github Hacking Tools
29. Hacking Tools Hardware
30. Hack Tools For Mac
31. Top Pentest Tools
32. Hackrf Tools
33. Hack Tools
34. Pentest Tools Url Fuzzer
35. Hacking Tools Github
36. Hack Rom Tools
37. Growth Hacker Tools
38. Hacking Tools Kit
39. Hack Tools Pc
40. Hacking Tools Hardware
41. Hacker
42. Android Hack Tools Github
43. Hacking Tools Github
44. Pentest Tools Url Fuzzer
45. Hackrf Tools
46. New Hack Tools
47. Hack Tools Online
48. Kik Hack Tools
49. Pentest Tools Free
50. Hacking Tools Pc
51. Pentest Box Tools Download
52. Hack Tools For Pc
53. Bluetooth Hacking Tools Kali
54. Hacker Tools List
55. Hacker Techniques Tools And Incident Handling
56. Pentest Tools Tcp Port Scanner
57. World No 1 Hacker Software
58. Wifi Hacker Tools For Windows
59. Pentest Tools For Windows
60. Hack Apps
61. Pentest Tools Github
62. Hacker Tools Github
63. Hack Apps
64. Hacking Tools For Windows Free Download
65. Hacking Tools For Kali Linux
66. Hacker Tool Kit
67. Pentest Tools Subdomain
68. Ethical Hacker Tools
69. Pentest Tools Github
70. Hacking Tools For Windows
71. Best Hacking Tools 2020
72. Game Hacking
73. Free Pentest Tools For Windows
74. Hacking Tools Name
75. Best Pentesting Tools 2018
76. Pentest Tools Port Scanner
77. Hacker Tools Hardware
78. Pentest Tools Framework
79. Hacker Tools Linux
80. Hacker Tools Hardware
81. Wifi Hacker Tools For Windows
82. World No 1 Hacker Software
83. Hacking Tools 2020
84. Beginner Hacker Tools
85. Pentest Tools List
86. Hack Rom Tools
87. Hacker Tools Hardware
88. Hacker Tools Software
89. Hacking Tools Hardware
90. Pentest Tools Alternative
91. Pentest Tools Port Scanner
92. Top Pentest Tools
93. Hacking Tools For Kali Linux