DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related links

• Hacker Tools Online
• Hack Tools For Games
• Hacking Tools Pc
• Pentest Tools Website
• Blackhat Hacker Tools
• Hack Tools
• Pentest Tools Website
• Pentest Tools For Android
• Hack Tools For Pc
• Beginner Hacker Tools
• Pentest Tools Kali Linux
• Beginner Hacker Tools
• Hacker Tools Windows
• Pentest Tools Free
• Pentest Tools Review
• Hacker Tools
• Usb Pentest Tools
• Hacker Tools 2019
• Tools Used For Hacking
• Hacker Tools Apk Download
• Tools For Hacker
• Hacking Tools Free Download
• Pentest Box Tools Download
• Hacking Tools For Windows
• Hacking Tools And Software
• Hack Tools 2019
• Wifi Hacker Tools For Windows
• Tools Used For Hacking
• Hacker Search Tools
• Hacking Tools Usb
• Pentest Tools Review
• How To Hack
• Hacker Tools 2019
• Pentest Tools Free
• Hack Tools For Mac
• Pentest Tools Github
• Hacker Tools Online
• New Hack Tools
• Install Pentest Tools Ubuntu
• Pentest Tools Bluekeep
• Hack Tools For Pc
• Tools Used For Hacking
• Hacking Tools Name
• Hacking Tools For Windows
• World No 1 Hacker Software
• Hacking Apps
• New Hacker Tools
• How To Install Pentest Tools In Ubuntu
• Hacking Tools Usb
• Hack Tools
• Underground Hacker Sites
• Pentest Tools Online
• Hak5 Tools
• Hacker Tools 2020
• Pentest Tools Kali Linux
• Hack Tool Apk
• Pentest Tools Nmap
• Pentest Tools Url Fuzzer
• Hack Tools For Ubuntu
• Hacking Tools For Pc
• Pentest Tools Android
• Pentest Tools For Windows
• Android Hack Tools Github
• Hack Tool Apk
• Pentest Tools Nmap
• Hack Tools Download
• How To Install Pentest Tools In Ubuntu
• Pentest Box Tools Download
• Pentest Tools Tcp Port Scanner
• Easy Hack Tools
• Pentest Tools Free
• Hacking Tools Github
• Hacker Tools Hardware
• Hack Tools For Games
• Wifi Hacker Tools For Windows
• Hacker Tools For Mac
• Hacker Techniques Tools And Incident Handling
• Hacker Tools Mac
• Hacker Tools For Windows
• Hacking Tools For Pc
• Hacking Tools 2020
• Hackrf Tools
• Computer Hacker
• Hack Tools For Mac
• Hacker Hardware Tools
• Hack Tools
• Hacker Techniques Tools And Incident Handling
• Pentest Tools Framework
• Hacker Tools Windows
• Hack And Tools
• Hacker Tools Free Download
• Hacker Tools For Pc
• Hacker Tools Online
• New Hack Tools
• Hacking Tools For Mac