DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related posts

1. Hacking Tools For Beginners
2. Hack Website Online Tool
3. Physical Pentest Tools
4. Hack Tools Github
5. Hack Tools 2019
6. Hack And Tools
7. Pentest Tools Nmap
8. New Hack Tools
9. Pentest Tools For Windows
10. Hackrf Tools
11. Hacker Tools Linux
12. Pentest Tools Port Scanner
13. Hacker Tools
14. Hack Website Online Tool
15. Tools Used For Hacking
16. Pentest Box Tools Download
17. Hacker Tools For Pc
18. Pentest Tools Linux
19. Hacker Hardware Tools
20. Pentest Tools For Mac
21. Pentest Tools For Mac
22. Nsa Hack Tools Download
23. Hack Tools Github
24. Growth Hacker Tools
25. Hacking Tools For Windows 7
26. Underground Hacker Sites
27. Hacking Tools Github
28. Pentest Reporting Tools
29. Pentest Box Tools Download
30. Hacking Tools
31. Hacking Tools Usb
32. Hack Tools Download
33. Hack Tools Download
34. How To Make Hacking Tools
35. Top Pentest Tools
36. World No 1 Hacker Software
37. Hacking Apps
38. Hacks And Tools
39. Pentest Tools Website Vulnerability
40. Hacking Tools And Software
41. Pentest Tools Alternative
42. Hacking Tools
43. Hacking Tools For Kali Linux
44. Hack Tool Apk No Root
45. Growth Hacker Tools
46. Hacker Tools Apk
47. How To Make Hacking Tools
48. Hacking Tools For Pc
49. Tools 4 Hack
50. Hacker Hardware Tools
51. Nsa Hack Tools Download
52. Hacking Tools Name
53. Hacker Tools Github
54. Hacker Tools Apk Download
55. Hacker Tools Apk
56. Ethical Hacker Tools
57. Bluetooth Hacking Tools Kali
58. Tools Used For Hacking
59. Hacking Tools 2020
60. Hacker Tools Apk Download
61. Kik Hack Tools
62. Hacking App
63. Hacking Tools For Pc
64. Pentest Tools Bluekeep
65. Nsa Hack Tools Download
66. Pentest Tools Url Fuzzer
67. Best Pentesting Tools 2018
68. Physical Pentest Tools
69. What Is Hacking Tools
70. What Is Hacking Tools
71. Hacking Tools Name
72. Pentest Tools For Mac
73. Ethical Hacker Tools
74. Beginner Hacker Tools