DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related news

1. Hack Tools 2019
2. Hack Tool Apk No Root
3. Hacker Search Tools
4. Hack Tools Mac
5. Hack And Tools
6. Hacker Tools Apk
7. Blackhat Hacker Tools
8. Pentest Tools Android
9. Github Hacking Tools
10. Pentest Tools Github
11. Pentest Tools Windows
12. Hacker Tools For Mac
13. Easy Hack Tools
14. Hacking Tools 2020
15. Nsa Hack Tools
16. Hacking Tools For Kali Linux
17. Hack Tools Pc
18. Hack Tools Online
19. Pentest Tools Alternative
20. Hack Rom Tools
21. Black Hat Hacker Tools
22. Game Hacking
23. Tools 4 Hack
24. Pentest Tools Website
25. Pentest Tools Website
26. Hacker Tools For Mac
27. Hack Tools For Ubuntu
28. Hacker Tools Software
29. Hacking Tools For Mac
30. Hack And Tools
31. Top Pentest Tools
32. Hacks And Tools
33. Install Pentest Tools Ubuntu
34. Hacking Tools For Mac
35. Github Hacking Tools
36. Hack Tools
37. Hacking Tools Kit
38. Hacking Tools Windows
39. Hack Tools Online
40. Growth Hacker Tools
41. Easy Hack Tools
42. Pentest Tools Linux
43. Pentest Automation Tools
44. Hacker Tools Github
45. Hacking App
46. Pentest Tools Url Fuzzer
47. Hacking Tools Kit
48. Best Pentesting Tools 2018
49. Pentest Tools Kali Linux
50. Pentest Tools Open Source
51. Hacks And Tools
52. Hacker Tools For Mac
53. Nsa Hacker Tools
54. Hacking Tools For Mac
55. Hacker Tools Apk
56. Ethical Hacker Tools
57. Hacking Tools For Kali Linux
58. Hacker Tools For Windows
59. Pentest Tools Review
60. Pentest Tools
61. Nsa Hack Tools
62. Black Hat Hacker Tools
63. Install Pentest Tools Ubuntu
64. New Hack Tools
65. Hacker Tools For Windows
66. Pentest Tools Windows
67. Best Pentesting Tools 2018
68. Pentest Tools Open Source
69. Hacker Tools For Windows
70. Hack Tools For Mac
71. Hack Tool Apk No Root
72. Hacking Tools For Windows 7
73. Hacking Tools Usb
74. Pentest Tools Url Fuzzer
75. Hacker Tools 2020
76. Pentest Recon Tools
77. Hacker Tools Online
78. Pentest Reporting Tools
79. Pentest Tools Tcp Port Scanner
80. Pentest Tools Nmap
81. Hacking Tools For Windows
82. What Are Hacking Tools
83. Hacking Tools
84. Best Hacking Tools 2019
85. Hacker Tools For Windows
86. Hacking Tools Kit
87. Pentest Tools Open Source
88. Hacking Tools For Kali Linux
89. Hack Tools Download
90. Hacking Tools Kit
91. Hacking Tools Pc
92. Hack Tools For Windows
93. Best Hacking Tools 2020
94. Nsa Hack Tools Download
95. Hacking Tools For Windows
96. Pentest Tools Tcp Port Scanner
97. Best Hacking Tools 2020
98. Pentest Tools For Android
99. Pentest Tools Windows