DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related posts

1. Kik Hack Tools
2. Hack Tools Online
3. Pentest Tools
4. Hacking Tools For Kali Linux
5. Hack Tools Github
6. Best Hacking Tools 2019
7. Hacker Tools 2020
8. Hacking Tools Name
9. Hacking Tools Windows
10. Hacking Tools Pc
11. Hacking Apps
12. Pentest Tools List
13. Easy Hack Tools
14. Growth Hacker Tools
15. Github Hacking Tools
16. Hacker Hardware Tools
17. Hacking Tools Download
18. Hacker Tools Free
19. Hack Tools Mac
20. Hacks And Tools
21. Hacking Tools Mac
22. Hacking Tools Online
23. Pentest Tools Online
24. Best Hacking Tools 2019
25. Pentest Tools Website
26. Tools For Hacker
27. Hacking Tools For Mac
28. Hacker Tools Linux
29. Termux Hacking Tools 2019
30. Hacking Tools Windows 10
31. Pentest Automation Tools
32. Pentest Reporting Tools
33. Pentest Tools Kali Linux
34. Hack Tools For Games
35. Hack Tool Apk No Root
36. Best Hacking Tools 2019
37. Underground Hacker Sites
38. Hackers Toolbox
39. Hack Tools For Mac
40. Hacking Tools For Windows Free Download
41. Hacking Tools Free Download
42. What Are Hacking Tools
43. Pentest Tools Bluekeep
44. Hacking Tools Online
45. Hacking Tools Hardware
46. Kik Hack Tools
47. Hacker Tools Free Download
48. Hacking Tools Usb
49. Hacker Tools For Pc
50. Pentest Tools Apk
51. Kik Hack Tools
52. Beginner Hacker Tools
53. Hacker Tools Hardware
54. Hacking Tools Windows
55. Pentest Tools Review
56. Hackrf Tools
57. Pentest Tools Url Fuzzer
58. Hacker Tools For Pc
59. Hacking Tools Hardware
60. Hacking Tools Software
61. Nsa Hack Tools Download
62. Hacker Tools Github
63. Hacker Tools Windows
64. What Is Hacking Tools
65. Hacker Search Tools
66. Hacking Tools 2020
67. Pentest Tools Github
68. Pentest Tools For Android
69. Pentest Tools Windows
70. Hacker Hardware Tools
71. Pentest Tools Linux
72. Hack Tools Download
73. Install Pentest Tools Ubuntu
74. Best Hacking Tools 2019
75. Pentest Tools Online
76. Hack Tools Pc
77. Nsa Hacker Tools
78. Hack Apps
79. Computer Hacker
80. Hacking Tools For Pc
81. Game Hacking
82. What Is Hacking Tools
83. Hacker Tools Online
84. Hack Tool Apk No Root
85. Growth Hacker Tools
86. Github Hacking Tools
87. Hacking Tools
88. Hack Rom Tools
89. Hacker Tools For Mac
90. Hack Tools
91. How To Hack
92. Android Hack Tools Github
93. Hack Tools
94. Hacking Tools Software
95. Hacker Security Tools
96. Hacking Tools Download
97. Pentest Reporting Tools
98. Black Hat Hacker Tools
99. Hacking Tools
100. Pentest Tools Bluekeep
101. Hacker Tools For Mac
102. Hack Tools
103. Hacker Tools Mac
104. Hacker Tools For Mac
105. Bluetooth Hacking Tools Kali
106. Hacking Tools Github
107. Hacking Tools Windows
108. Hacker Tools Apk Download
109. Hacker Tools Software
110. Pentest Tools Website Vulnerability
111. Underground Hacker Sites
112. Hack Tools Online
113. Pentest Tools Github