DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related links

1. Pentest Tools Framework
2. How To Hack
3. Wifi Hacker Tools For Windows
4. Black Hat Hacker Tools
5. Hack Tools Download
6. Pentest Tools For Mac
7. Hack Tools 2019
8. Pentest Tools For Android
9. Hacking Tools Name
10. Hack Tools Mac
11. Pentest Tools
12. Hack Tools Github
13. Hack Website Online Tool
14. What Are Hacking Tools
15. Hack Tools 2019
16. Hacking Tools
17. Hackrf Tools
18. Hacking Tools For Windows Free Download
19. Pentest Tools Review
20. Pentest Automation Tools
21. Hackers Toolbox
22. Hack Website Online Tool
23. Physical Pentest Tools
24. Hacking Tools Github
25. Hacker Tools Online
26. Kik Hack Tools
27. Computer Hacker
28. Hack Tools Online
29. Hack Tools Online
30. Hack Tools Pc
31. Hack Tools For Windows
32. Hack Tools For Games
33. Pentest Tools Bluekeep
34. Hacker
35. Hacks And Tools
36. Pentest Tools Alternative
37. Best Hacking Tools 2019
38. Best Hacking Tools 2019
39. Pentest Tools For Android
40. Pentest Tools Find Subdomains
41. Pentest Tools Website Vulnerability
42. Pentest Tools For Android
43. Tools 4 Hack
44. Hacker
45. Hacking Apps
46. Pentest Recon Tools
47. Pentest Tools Bluekeep
48. Hacker Tools
49. Android Hack Tools Github
50. Hacking Tools Windows
51. Hacker Search Tools
52. Hacking Tools For Windows
53. Underground Hacker Sites
54. Hacking Tools For Pc
55. Hack Tools
56. Hacker Tools Free Download
57. Pentest Tools Android
58. Pentest Tools Port Scanner
59. Hacking Tools Usb
60. Pentest Reporting Tools
61. Hacker Tools Linux
62. Pentest Tools Review
63. Pentest Reporting Tools
64. Hack App
65. Pentest Tools Framework
66. Kik Hack Tools
67. Hacking Tools Download
68. Pentest Tools Github
69. Hack Tools For Pc
70. Hak5 Tools
71. Hacking Tools Windows 10
72. Pentest Box Tools Download
73. Hack Tools Online
74. Pentest Tools Open Source
75. Install Pentest Tools Ubuntu
76. Pentest Tools Open Source
77. Pentest Tools Alternative
78. Pentest Tools Free
79. Hacking Tools Download
80. Pentest Tools For Mac
81. Pentest Tools Bluekeep
82. Pentest Tools Linux
83. Free Pentest Tools For Windows
84. Nsa Hack Tools
85. Pentest Box Tools Download
86. Hacking Apps
87. Hacking Apps
88. Pentest Tools Port Scanner
89. Wifi Hacker Tools For Windows
90. Hacking Apps
91. Computer Hacker
92. Hack Tool Apk No Root
93. Hack Tools Github
94. Hack Tools For Games
95. New Hack Tools
96. Hacking Tools Name
97. Hacker
98. What Is Hacking Tools
99. Hack Website Online Tool
100. Android Hack Tools Github
101. Wifi Hacker Tools For Windows
102. Hack Tools Mac
103. Pentest Box Tools Download
104. Hacking Tools Windows
105. Hackers Toolbox
106. Termux Hacking Tools 2019
107. Hackers Toolbox
108. Top Pentest Tools
109. Pentest Tools Github
110. Hacker Tool Kit
111. Hacker Tools Free Download
112. Hacker Tools Linux
113. Hack And Tools
114. Wifi Hacker Tools For Windows
115. Pentest Tools Android