DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related links

1. Pentest Tools Online
2. Pentest Tools For Windows
3. Tools Used For Hacking
4. Hacker Tools Windows
5. Hacking Tools For Mac
6. Best Pentesting Tools 2018
7. Hacker Tools For Mac
8. Hacker Tools Github
9. Hack Rom Tools
10. Hack Rom Tools
11. Ethical Hacker Tools
12. Hacker Security Tools
13. Hacking Tools Windows 10
14. Hack Tool Apk
15. Underground Hacker Sites
16. Tools For Hacker
17. Hack Apps
18. Hacker Tools Hardware
19. Computer Hacker
20. Hacker
21. Pentest Reporting Tools
22. How To Make Hacking Tools
23. Hacker
24. Hacker Tools For Ios
25. Pentest Tools Url Fuzzer
26. Nsa Hacker Tools
27. Pentest Automation Tools
28. Hacker Tools 2020
29. Nsa Hack Tools Download
30. Hacking Tools Online
31. Hacker Tools
32. New Hacker Tools
33. Computer Hacker
34. Android Hack Tools Github
35. Hacker Tools Hardware
36. Pentest Tools Tcp Port Scanner
37. Hak5 Tools
38. How To Hack
39. Hacking Tools Mac
40. Hack Tools For Pc
41. Pentest Tools For Mac
42. Hacker Tools For Ios
43. Pentest Tools Github
44. Hacker Tools Software
45. Hack Tools
46. Hacker Tools Online
47. Hack Tools For Games
48. Hacking Tools For Mac
49. Pentest Tools For Mac
50. Ethical Hacker Tools
51. Pentest Tools Website Vulnerability
52. Hackers Toolbox
53. Hacking Tools For Pc
54. Hack Tools For Windows
55. Nsa Hack Tools Download
56. Tools Used For Hacking
57. Hacking Tools 2020
58. Hacker Techniques Tools And Incident Handling
59. Pentest Tools Windows
60. Hack Tools
61. Tools 4 Hack
62. Ethical Hacker Tools
63. Hacker Tools Mac
64. Nsa Hacker Tools
65. Hack Apps
66. Physical Pentest Tools
67. Usb Pentest Tools
68. Hack Tools For Games
69. Usb Pentest Tools