DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Read more

1. Pentest Tools Tcp Port Scanner
2. Pentest Tools
3. Pentest Tools Online
4. Pentest Tools Alternative
5. Hack Tools Mac
6. Hack Tools Online
7. Termux Hacking Tools 2019
8. Termux Hacking Tools 2019
9. Hack Tool Apk No Root
10. Hacking Tools For Windows
11. Hak5 Tools
12. Hacker Tools Mac
13. Pentest Tools Windows
14. Hacker Tools 2020
15. Pentest Tools Find Subdomains
16. Hack Apps
17. World No 1 Hacker Software
18. Hack Tools
19. Hacking Tools Software
20. Beginner Hacker Tools
21. Hacker Tools Github
22. Wifi Hacker Tools For Windows
23. Hack Website Online Tool
24. Pentest Tools List
25. Hacker Tools Free
26. Hack Tool Apk
27. Hacker Tools Linux
28. Pentest Tools For Ubuntu
29. Hack Tools Mac
30. Usb Pentest Tools
31. Hack Tools
32. Hacking Tools For Kali Linux
33. Hack Website Online Tool
34. Hacker Tools Linux
35. Kik Hack Tools
36. Github Hacking Tools
37. Hack And Tools
38. Pentest Tools Tcp Port Scanner
39. Hacker Hardware Tools
40. Hacker Tool Kit
41. Hacker Tools Github
42. World No 1 Hacker Software
43. Hacks And Tools
44. Hacker Tools 2020
45. Best Hacking Tools 2019
46. New Hack Tools
47. Hack Tools 2019
48. Hack App
49. How To Hack
50. Hacker Tools For Pc
51. Hacking App
52. Hacking Tools Name
53. Hacking Tools 2020
54. Pentest Tools For Mac
55. Hacker Tools Apk Download
56. Hacking Tools And Software
57. Pentest Tools Subdomain
58. Tools 4 Hack
59. Hacking Tools Name
60. Blackhat Hacker Tools
61. Pentest Tools Url Fuzzer
62. Hak5 Tools
63. Nsa Hacker Tools
64. Hacking Tools For Kali Linux
65. Github Hacking Tools
66. Hacker Tools Windows
67. Pentest Tools Nmap
68. Hacker Tools Linux
69. Hacking Tools Software
70. Hack Tools For Windows
71. New Hack Tools
72. Easy Hack Tools
73. Pentest Automation Tools
74. Hacking Tools For Beginners
75. What Is Hacking Tools
76. Hak5 Tools
77. Pentest Tools Kali Linux
78. Ethical Hacker Tools
79. Hacking Tools For Windows
80. Nsa Hack Tools Download
81. Hack App
82. Blackhat Hacker Tools
83. Hacker Hardware Tools
84. Pentest Tools Website Vulnerability
85. New Hack Tools
86. Hack Tool Apk
87. Pentest Tools Find Subdomains
88. Hacking Tools For Beginners
89. Hacker Hardware Tools
90. Pentest Tools Review
91. Pentest Tools Linux
92. Physical Pentest Tools
93. Wifi Hacker Tools For Windows
94. World No 1 Hacker Software
95. Pentest Tools Free
96. What Is Hacking Tools
97. Beginner Hacker Tools
98. Hacking Tools Github
99. Hacker Tools Github
100. Pentest Tools For Android
101. How To Make Hacking Tools
102. Hacker Tools Github
103. Hack Rom Tools
104. Hack Tools For Games
105. How To Install Pentest Tools In Ubuntu
106. Hacker Tools For Pc
107. Pentest Tools Online
108. Hacker Tools Mac
109. Hacking Tools For Pc
110. Hacking Tools For Pc
111. Pentest Tools For Mac
112. Underground Hacker Sites
113. Hacker Tools For Windows
114. Hacking Tools For Mac
115. Hacking Tools Software
116. Usb Pentest Tools
117. Hack Tool Apk No Root
118. Hacking Tools Kit
119. Hacking Tools Mac
120. Hack App
121. How To Install Pentest Tools In Ubuntu
122. Hacking Tools For Windows
123. Game Hacking
124. Physical Pentest Tools
125. Pentest Tools Find Subdomains
126. Hacker Tools For Mac
127. Hack Tools
128. Hacking Tools
129. Best Hacking Tools 2020
130. Hackers Toolbox
131. Pentest Reporting Tools
132. Hack Tools For Mac
133. Usb Pentest Tools
134. Pentest Tools Download
135. Pentest Tools Open Source
136. Hacking Tools Github
137. Hacking Tools Software
138. Pentest Tools Kali Linux
139. Hacker Search Tools
140. Nsa Hack Tools
141. Pentest Tools List
142. Hacker Tools 2019
143. Hacking App
144. Hacking Tools For Windows Free Download
145. Hack Tools 2019
146. Hack Tools
147. Hacker Tools Apk
148. Best Pentesting Tools 2018
149. Pentest Tools Website Vulnerability
150. Hacking Apps
151. Usb Pentest Tools
152. Black Hat Hacker Tools
153. Best Hacking Tools 2020
154. Hacking Tools For Games
155. Hack Tools
156. Easy Hack Tools
157. Hacking Tools Software
158. Hacker Tools