DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related news

1. Hacking Tools For Beginners
2. Hacker Tools For Ios
3. Hacking Tools For Beginners
4. Hacker Tools Software
5. Pentest Tools Download
6. Game Hacking
7. Hacker Tools Apk
8. Blackhat Hacker Tools
9. Best Pentesting Tools 2018
10. Pentest Tools Website Vulnerability
11. Hack And Tools
12. What Is Hacking Tools
13. Hacking Tools For Games
14. What Is Hacking Tools
15. Hacking Tools Download
16. Hacker Tools
17. Tools 4 Hack
18. Hacker Tools Apk Download
19. Hacking Tools For Mac
20. Hacking Tools For Beginners
21. Wifi Hacker Tools For Windows
22. Hacking Tools For Games
23. How To Install Pentest Tools In Ubuntu
24. Pentest Tools List
25. Hack Tools Online
26. Pentest Tools Windows
27. Wifi Hacker Tools For Windows
28. Pentest Box Tools Download
29. Pentest Tools Url Fuzzer
30. Pentest Tools Kali Linux
31. Tools For Hacker
32. Pentest Tools Github
33. Hack Tools For Games
34. Hacker Tools Free Download
35. Hacking Tools Github
36. Hack Tools For Mac
37. Hack Tools For Mac
38. Blackhat Hacker Tools
39. Nsa Hacker Tools
40. Hackers Toolbox
41. Free Pentest Tools For Windows
42. Tools For Hacker
43. Pentest Tools For Windows
44. Hacker Tool Kit
45. Hacking Tools Hardware
46. Hacker Tools Mac
47. Hacker Techniques Tools And Incident Handling
48. Easy Hack Tools
49. Hack Tools
50. Black Hat Hacker Tools
51. Pentest Tools Url Fuzzer
52. New Hacker Tools
53. Hak5 Tools
54. Pentest Tools Tcp Port Scanner
55. Pentest Tools Free
56. Hacker Tools 2020
57. Computer Hacker
58. Pentest Tools For Mac
59. Hacker Tools For Windows
60. Pentest Tools Review
61. Hacking Tools Online
62. Hacking Tools For Kali Linux
63. Easy Hack Tools
64. Hacking Tools For Kali Linux
65. Hacker Search Tools
66. Pentest Box Tools Download
67. Pentest Tools Review
68. Hacker Tools Apk Download
69. Hacker Hardware Tools
70. Hacker Tools Github
71. Hacker Tools
72. Hacking Tools
73. Pentest Tools Nmap
74. Growth Hacker Tools
75. Hacking Tools Name
76. Hacker Tools Github
77. Hack And Tools
78. Hacker Tools Software
79. Pentest Tools Review
80. Hacker Tools For Pc
81. Best Hacking Tools 2020
82. Hacking Tools For Windows 7
83. Hack And Tools
84. Hacker Techniques Tools And Incident Handling
85. Hacking Tools
86. Hack And Tools
87. Hacker Security Tools
88. Hacking Apps
89. Pentest Tools Tcp Port Scanner
90. Hacking Tools 2019
91. Pentest Reporting Tools
92. Pentest Automation Tools
93. Pentest Tools Subdomain
94. Hack Tools For Windows
95. Hack Tool Apk
96. Usb Pentest Tools
97. Hack Tools Mac
98. Pentest Tools Nmap
99. Pentest Tools Website
100. Beginner Hacker Tools
101. Hackrf Tools
102. Tools Used For Hacking
103. How To Install Pentest Tools In Ubuntu
104. Hacker
105. Hacker Tools
106. Hacker Tools 2019
107. What Is Hacking Tools
108. Best Hacking Tools 2019
109. Pentest Tools Apk
110. Install Pentest Tools Ubuntu
111. Termux Hacking Tools 2019
112. Tools Used For Hacking
113. Hacker Tools For Ios
114. Hacking Tools For Kali Linux
115. Hacking App
116. Termux Hacking Tools 2019
117. Hacking Tools For Kali Linux