In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Read more
- Pentest Tools Url Fuzzer
- Hacker Security Tools
- Hacking Tools Name
- Pentest Tools Bluekeep
- Hack Tools For Windows
- How To Make Hacking Tools
- Hacking Tools Usb
- Hacking Tools Pc
- Hack And Tools
- New Hack Tools
- Pentest Tools Review
- Pentest Tools Linux
- Hacking App
- Hacking Tools For Beginners
- Hacking Tools Hardware
- Ethical Hacker Tools
- Pentest Tools Framework
- Hack Apps
- Beginner Hacker Tools
- Hacking Tools For Mac
- Hacking Tools
- Pentest Tools
- Pentest Tools For Ubuntu
- Hacker Security Tools
- What Are Hacking Tools
- Pentest Tools Nmap
- Hacking Tools Usb
- Pentest Tools For Android
- Pentest Tools Apk
- Hacking Tools For Pc
- Easy Hack Tools
- Hackers Toolbox
- Hacker Tools For Pc
- Hacker Search Tools
- Hacker Tools
- Pentest Tools Bluekeep
- Termux Hacking Tools 2019
- Hacking Tools Hardware
- Github Hacking Tools
- Pentest Tools Download
- Hacking Tools Pc
- Hacker Tools Online
- Hacking Tools For Windows 7
- What Is Hacking Tools
- Hack Tools
- Tools 4 Hack
- Blackhat Hacker Tools
- Beginner Hacker Tools
- Nsa Hack Tools
- Hacker Tools Free Download
- Hack Apps
- Hacking Tools For Windows
- Hacking Tools For Windows 7
- Hacker Tools Apk Download
- Hack Tools For Pc
- Hack Website Online Tool
- Hack Tools
- Hack App
- Tools Used For Hacking
- What Are Hacking Tools
- Game Hacking
- Hack Tools For Ubuntu
- Hacking Tools 2020
- Hacker Tools 2019
- Hacker Tools Windows
- Hacking Tools 2019
- Hacking Tools Kit
- Hack Tool Apk
- Usb Pentest Tools
- Hacking Tools 2020
- New Hack Tools
- Hack Rom Tools
- Pentest Tools Kali Linux
- World No 1 Hacker Software
- Hacks And Tools
- Android Hack Tools Github
- Top Pentest Tools
- Hacking Tools
- Hacking Tools Download
- How To Install Pentest Tools In Ubuntu
- Hack Tools
- Hacking Tools Windows
- Hacks And Tools
- Pentest Tools Review
- Pentest Tools Tcp Port Scanner
- Tools 4 Hack
- Hack Tool Apk
- Hack Tools For Mac
- Hacking Tools For Mac
- Hacker Tools Free Download
- How To Make Hacking Tools
- Pentest Tools Review
- Ethical Hacker Tools
- Install Pentest Tools Ubuntu
- New Hacker Tools
- Pentest Tools For Android
- Hacking Tools Kit
- Pentest Tools Bluekeep
- Black Hat Hacker Tools
- Hacking Tools Name
- Best Hacking Tools 2019
- Hack Tools
- Hacking Tools For Beginners
- Hacking Tools For Mac
- Hack Tools 2019
- Pentest Automation Tools
- Pentest Tools Tcp Port Scanner
- Pentest Tools Website
- Ethical Hacker Tools
