DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related posts

1. Blackhat Hacker Tools
2. Hak5 Tools
3. Hack And Tools
4. Hacker Tools Github
5. Hacking Tools Name
6. Hacking Tools Github
7. Hacker Tools For Pc
8. Hacker Tools For Mac
9. Hacking Tools 2020
10. Pentest Tools For Android
11. Hacking Tools Windows
12. Computer Hacker
13. Hacker Tools 2020
14. Best Hacking Tools 2020
15. Pentest Tools Windows
16. Hacking Tools 2020
17. Pentest Tools Subdomain
18. Pentest Tools Linux
19. Hack Tools
20. Pentest Tools For Android
21. Top Pentest Tools
22. Hacker Tools Apk
23. Pentest Tools Website Vulnerability
24. Hacking Tools 2019
25. Hacking Tools Pc
26. Easy Hack Tools
27. Pentest Tools For Android
28. Hacking Tools 2019
29. Hack Tools 2019
30. Hack Tools 2019
31. Pentest Tools Open Source
32. Hacker Tools For Pc
33. Black Hat Hacker Tools
34. Hacking App
35. Hacking Tools Mac
36. Hacking Tools 2019
37. Hacking Tools For Pc
38. Pentest Tools Linux
39. Hackrf Tools
40. Hack Tools Download
41. Pentest Tools Linux
42. Pentest Tools Alternative
43. Hacking Tools Download
44. Hack Tools For Mac
45. Termux Hacking Tools 2019
46. Nsa Hack Tools Download
47. Hacker Tools
48. Hack Tools Pc
49. Pentest Tools Linux
50. Hacker
51. Physical Pentest Tools
52. Hack App
53. Hack Tools For Windows
54. Easy Hack Tools
55. Hacker Tools Online
56. Hak5 Tools
57. Hacks And Tools
58. Usb Pentest Tools
59. Hacking Tools For Windows
60. Nsa Hack Tools Download
61. Hack Tools
62. Pentest Tools List
63. Hack Tools For Ubuntu
64. Termux Hacking Tools 2019
65. Usb Pentest Tools
66. Hacker Tools For Windows
67. Wifi Hacker Tools For Windows
68. Pentest Tools Find Subdomains
69. Nsa Hacker Tools
70. Hacker Tools Software
71. Hack Tools Online
72. Hack Tools Github
73. What Are Hacking Tools
74. Hacker Tools Free
75. Pentest Tools Apk
76. Pentest Tools Subdomain
77. Hacking App
78. Bluetooth Hacking Tools Kali
79. Pentest Reporting Tools
80. Nsa Hack Tools Download
81. Hack App
82. Hacker Tools 2019
83. Hacking Tools
84. Wifi Hacker Tools For Windows
85. Pentest Tools Review
86. Pentest Tools Port Scanner
87. Hack Tool Apk
88. Hacker Tools Software
89. Hacker Security Tools
90. Hacking Tools For Mac
91. Pentest Automation Tools
92. Hacker Tools 2019
93. Hacking Tools Free Download
94. Hacking Tools 2019
95. Hacking Tools Windows 10
96. Hack Tools Download
97. Hacking Tools Usb
98. Top Pentest Tools
99. Pentest Tools Apk
100. How To Install Pentest Tools In Ubuntu
101. Hacking Tools For Kali Linux
102. Hack Tools Pc
103. Hacker Tools Free
104. Pentest Tools Bluekeep
105. Hacking Tools 2019
106. Hack Rom Tools
107. Hacking Tools Name
108. Pentest Box Tools Download
109. Hack Website Online Tool
110. Pentest Tools For Windows