DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

More information

1. Hack Apps
2. Hacker Tools For Mac
3. Pentest Tools Download
4. Nsa Hack Tools
5. World No 1 Hacker Software
6. Pentest Tools Tcp Port Scanner
7. Pentest Tools
8. Hacker Security Tools
9. Hackers Toolbox
10. Pentest Tools Port Scanner
11. Pentest Tools Open Source
12. Pentest Tools Linux
13. Pentest Tools Kali Linux
14. Github Hacking Tools
15. Hacker Hardware Tools
16. Pentest Automation Tools
17. Hacking Tools For Mac
18. Hack And Tools
19. Hacking Tools Online
20. Pentest Tools
21. Game Hacking
22. Pentest Box Tools Download
23. Hacking Tools
24. Tools 4 Hack
25. World No 1 Hacker Software
26. Hacking Tools Kit
27. Pentest Tools For Mac
28. Hacking Tools For Kali Linux
29. Hacking Tools Name
30. How To Make Hacking Tools
31. Pentest Tools Nmap
32. Nsa Hacker Tools
33. Hacker Tools Apk
34. Pentest Tools
35. Hacker Tools Online
36. Hacker Tools Linux
37. Hack Tools Download
38. Tools 4 Hack
39. Best Pentesting Tools 2018
40. Pentest Tools List
41. Tools 4 Hack
42. Pentest Tools For Windows
43. Hacking Tools For Windows 7
44. World No 1 Hacker Software
45. Pentest Tools Open Source
46. Install Pentest Tools Ubuntu
47. Underground Hacker Sites
48. Tools 4 Hack
49. Hacker Tools Apk Download
50. Pentest Tools Review
51. Hacking Tools For Beginners
52. Hacking Tools For Kali Linux
53. Hacking Tools Free Download
54. Best Pentesting Tools 2018
55. Github Hacking Tools
56. Hacker Tools Linux
57. Pentest Tools Download
58. Hacking Tools For Pc
59. Hacking Tools For Mac
60. Hacker Tools Mac
61. Hack Website Online Tool
62. Kik Hack Tools
63. Pentest Tools Online
64. Pentest Tools Download
65. Hacking Tools Name
66. Pentest Tools Subdomain
67. Hacking Tools Mac
68. Hacker Tools Mac
69. Pentest Tools Tcp Port Scanner
70. Pentest Tools Nmap
71. What Is Hacking Tools
72. Growth Hacker Tools
73. Hacker Tools List
74. Physical Pentest Tools
75. How To Hack
76. Blackhat Hacker Tools
77. Hack Tool Apk No Root
78. Hacking App
79. Hacker Tools 2019
80. Hacker Tools Windows
81. Pentest Tools Website Vulnerability
82. Pentest Tools For Windows
83. Github Hacking Tools
84. Tools For Hacker
85. Hack Tools Mac
86. Pentest Tools Open Source
87. Beginner Hacker Tools
88. Pentest Tools For Ubuntu
89. Top Pentest Tools
90. Hack Tools For Games
91. Hacking Tools Mac
92. Wifi Hacker Tools For Windows
93. Hacker Tools List
94. Pentest Tools For Windows
95. World No 1 Hacker Software
96. Hack Tools Mac
97. Pentest Tools Online
98. Best Pentesting Tools 2018
99. Pentest Tools Nmap
100. Hacker Tools Apk Download
101. Pentest Tools
102. Pentest Reporting Tools
103. Hack Tools Download
104. Hack Tools Github
105. Hak5 Tools
106. Pentest Tools Alternative
107. Termux Hacking Tools 2019
108. What Is Hacking Tools
109. Hackers Toolbox
110. Pentest Tools Linux
111. Hacking Tools Software
112. Install Pentest Tools Ubuntu
113. Hacker Hardware Tools
114. Hacking Tools Windows
115. Hacking Tools Name
116. Hacker Tools Software
117. Hacking Tools For Windows
118. Hacking Apps
119. Hacker Tools Mac