DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

More articles

1. Pentest Reporting Tools
2. Hacking Tools
3. Pentest Tools Online
4. Pentest Tools Bluekeep
5. Pentest Reporting Tools
6. Hack Tools For Windows
7. Hacker Techniques Tools And Incident Handling
8. Computer Hacker
9. Hacker Tools For Mac
10. Tools Used For Hacking
11. New Hacker Tools
12. Hack Tools For Ubuntu
13. Pentest Tools
14. Hack Tool Apk
15. Pentest Tools For Windows
16. Ethical Hacker Tools
17. Hacker Tools For Windows
18. Hack App
19. Hack Tools
20. Hack Tool Apk No Root
21. Pentest Tools Online
22. Pentest Tools Open Source
23. Hacking Tools Hardware
24. How To Make Hacking Tools
25. Hacking Tools For Pc
26. Hack Tools
27. Hack Tools 2019
28. Pentest Tools Find Subdomains
29. Nsa Hack Tools
30. Hackrf Tools
31. Hacking Tools For Games
32. Pentest Tools
33. Pentest Reporting Tools
34. Blackhat Hacker Tools
35. Hacking Tools 2019
36. Hack App
37. Hacker Search Tools
38. What Are Hacking Tools
39. Hacking Tools And Software
40. Bluetooth Hacking Tools Kali
41. Pentest Tools Android
42. Hacker
43. Hacking Tools
44. Nsa Hack Tools
45. Pentest Tools Port Scanner
46. Hacking Tools
47. Hacker Techniques Tools And Incident Handling
48. Hacker Tools Apk
49. Hacker Tools Software
50. Hacking Apps
51. Hacking App
52. Tools For Hacker
53. Hacker
54. Hack Tools For Windows
55. Hak5 Tools
56. World No 1 Hacker Software
57. Pentest Tools For Android
58. Hacking Apps
59. Hacking Tools For Beginners
60. Hack Tools Pc
61. Pentest Tools Framework
62. Hacking Tools 2019
63. Pentest Tools Website
64. Hack Tools Mac
65. Hacker Search Tools
66. Nsa Hacker Tools
67. Pentest Tools Url Fuzzer
68. Hacker Tools 2020
69. Pentest Tools Framework
70. Game Hacking
71. Pentest Tools Online
72. Hacking Tools Free Download
73. Pentest Tools For Mac
74. Hack Tool Apk
75. Hacking Tools For Games
76. Pentest Tools Kali Linux
77. Hack Tools
78. Hacker Tool Kit
79. Hacker Tools Linux
80. Hacking Tools For Pc
81. Bluetooth Hacking Tools Kali
82. Hacking Tools For Windows
83. Pentest Tools Kali Linux
84. Hacking Tools For Pc
85. Hack Apps
86. Hacking Tools For Games
87. Hacking Tools Pc
88. Pentest Tools Online
89. Pentest Tools List
90. Termux Hacking Tools 2019
91. Hack Tools For Games
92. Hacker Tools Windows
93. Pentest Tools Review
94. Hacker Tools Hardware
95. Hack Tools For Games
96. Hack Tools For Games
97. Hacking Tools Mac
98. Hacker Tools
99. Hacker Tools Apk Download
100. Hacking Tools Windows
101. Pentest Recon Tools
102. Hackrf Tools
103. New Hacker Tools
104. Hacking Tools 2019
105. Easy Hack Tools
106. Pentest Tools Open Source
107. Hacking Tools For Mac
108. Wifi Hacker Tools For Windows