DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related links

1. Hacker Tools
2. Hacker Tools For Mac
3. Hacking Tools Kit
4. Beginner Hacker Tools
5. Pentest Tools Review
6. Tools For Hacker
7. Hack Tool Apk
8. Pentest Tools Framework
9. Hack Tools
10. Beginner Hacker Tools
11. Pentest Tools Subdomain
12. Android Hack Tools Github
13. Hack Tools Online
14. Hacker Tools Linux
15. Hacking Apps
16. Hacker Hardware Tools
17. Pentest Tools Android
18. Pentest Box Tools Download
19. Pentest Tools Website Vulnerability
20. Hak5 Tools
21. Usb Pentest Tools
22. Best Pentesting Tools 2018
23. Bluetooth Hacking Tools Kali
24. Nsa Hack Tools
25. Hacking Tools For Mac
26. Hacker Techniques Tools And Incident Handling
27. Hacker Tools Mac
28. Hacking Tools Kit
29. Hackrf Tools
30. Pentest Tools Apk
31. Hacking Tools And Software
32. Nsa Hack Tools Download
33. Hacking Tools 2020
34. Hacker Tools Linux
35. Growth Hacker Tools
36. Pentest Tools For Windows
37. Pentest Tools Tcp Port Scanner
38. Pentest Tools For Windows
39. Top Pentest Tools
40. Hacking Tools Kit
41. Hacking Tools For Beginners
42. Hacking Tools
43. Hacking Tools Windows 10
44. Hak5 Tools
45. Hacking Tools Windows
46. Hacking Tools Online
47. Hacking Tools For Mac
48. Tools For Hacker
49. Pentest Tools Linux
50. Bluetooth Hacking Tools Kali
51. Pentest Recon Tools
52. Hack Tools For Windows
53. Hacker Tools Hardware
54. Hack Tools Download
55. Pentest Tools Url Fuzzer
56. Pentest Box Tools Download
57. Pentest Tools Github
58. Hacker Tools Github
59. Hacker Tools 2019
60. Android Hack Tools Github
61. Ethical Hacker Tools
62. Install Pentest Tools Ubuntu
63. Hacking Tools Usb
64. Pentest Tools For Windows
65. Pentest Tools Linux
66. Hacker Security Tools
67. Hacking Tools For Kali Linux
68. Pentest Tools Linux
69. Hacking Tools For Kali Linux
70. Hackers Toolbox
71. Pentest Tools Apk
72. Hacker Security Tools
73. Hacking Tools Free Download
74. Hacking Tools Name
75. Tools For Hacker
76. Kik Hack Tools
77. Hacker Search Tools
78. Hacker Tools For Pc
79. Hacking Tools For Windows Free Download
80. Hacker Tools Online
81. How To Hack
82. Nsa Hack Tools
83. Tools 4 Hack
84. Computer Hacker
85. Pentest Tools Website Vulnerability
86. Free Pentest Tools For Windows
87. Hacking Tools Kit
88. Pentest Tools Free
89. New Hack Tools
90. Hack Tools For Windows
91. Pentest Tools Apk
92. Hacker Tools For Mac
93. Hacker Security Tools
94. Hacker Tools Apk