DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related news

1. Hack App
2. Hacker Tools For Pc
3. Hacking Tools
4. Pentest Tools For Ubuntu
5. Nsa Hack Tools
6. Hacking Tools Pc
7. Hack Tool Apk
8. Hacks And Tools
9. Hackers Toolbox
10. Pentest Tools For Mac
11. Pentest Tools Port Scanner
12. Pentest Tools Android
13. Black Hat Hacker Tools
14. Hacker Security Tools
15. Pentest Tools Review
16. Pentest Tools Nmap
17. Pentest Tools Apk
18. Hacker Search Tools
19. Usb Pentest Tools
20. Hackrf Tools
21. Pentest Tools Tcp Port Scanner
22. Hack Website Online Tool
23. Hackers Toolbox
24. Hacking Tools For Kali Linux
25. Blackhat Hacker Tools
26. Pentest Box Tools Download
27. Pentest Tools Download
28. Hacker Tools Free
29. Pentest Tools Free
30. Pentest Tools For Windows
31. Usb Pentest Tools
32. Hacker Tools For Pc
33. Hacking Tools
34. Hacking Tools For Pc
35. Hacking Tools
36. Hack Tools For Windows
37. Hackrf Tools
38. Hack Tool Apk No Root
39. Hacker Security Tools
40. Hacker Tools For Mac
41. Easy Hack Tools
42. Pentest Recon Tools
43. Pentest Reporting Tools
44. Pentest Tools Open Source
45. Hacking Tools Kit
46. Top Pentest Tools
47. New Hack Tools
48. Hacker Security Tools
49. Underground Hacker Sites
50. Hacker Tools Apk
51. What Are Hacking Tools
52. Hack Tools
53. Hacking Tools For Windows 7
54. Hacker Tools 2020
55. Hacker Tools 2019
56. Pentest Tools Kali Linux
57. Hack Tools
58. Hacking App
59. Hacker Techniques Tools And Incident Handling
60. Hackrf Tools
61. Hacking Tools Kit
62. Pentest Recon Tools
63. Pentest Box Tools Download
64. Beginner Hacker Tools
65. Hacker Tools Apk
66. New Hack Tools
67. Hacker Tools For Pc
68. Wifi Hacker Tools For Windows
69. Usb Pentest Tools
70. Computer Hacker
71. Hacking Tools Windows 10
72. Pentest Tools Github
73. Pentest Tools For Ubuntu
74. Hacker Tools For Pc
75. Tools 4 Hack
76. Pentest Tools Find Subdomains
77. Pentest Tools Alternative
78. Pentest Tools
79. Hack Tools For Pc
80. Hacking Tools Software
81. Hacker Tools For Ios
82. Hacker Search Tools
83. Pentest Tools Review
84. Hack Tools Online
85. Hacking App
86. What Is Hacking Tools
87. Hacker Tools For Pc
88. How To Make Hacking Tools
89. New Hack Tools
90. Github Hacking Tools
91. Hacker Tools Free
92. Hacker Tools Free Download
93. Tools 4 Hack
94. Hacker Tools For Pc
95. Hacker Tools Online
96. Pentest Tools Review
97. Hack Tools Pc
98. New Hacker Tools
99. Pentest Tools For Mac
100. Hack Tools 2019
101. Hacking Tools And Software
102. Hacker Tools Free
103. New Hack Tools
104. Hacks And Tools
105. Easy Hack Tools
106. Hack Tools Online
107. Hacker Tools For Ios
108. Pentest Automation Tools
109. Hacker Tools Mac
110. Hacker Tools 2019
111. Pentest Tools Linux
112. Hack Apps