DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

More info

1. Hacker Tools Apk Download
2. Pentest Tools
3. Hacking Tools Online
4. Hacking Tools Hardware
5. Hacker Tools For Windows
6. Pentest Tools Nmap
7. Pentest Tools Windows
8. Hack And Tools
9. Hacking Tools For Games
10. Usb Pentest Tools
11. Pentest Tools Open Source
12. Pentest Tools For Ubuntu
13. Hack Tools For Mac
14. Bluetooth Hacking Tools Kali
15. Hacking Tools Kit
16. Hack App
17. Beginner Hacker Tools
18. Hacker Hardware Tools
19. Top Pentest Tools
20. Pentest Tools Bluekeep
21. Pentest Tools Port Scanner
22. Pentest Tools Apk
23. Hacking Tools For Kali Linux
24. Hacker Tools For Pc
25. Physical Pentest Tools
26. Blackhat Hacker Tools
27. How To Hack
28. Hacker Security Tools
29. Best Pentesting Tools 2018
30. Hacking Tools Mac
31. What Is Hacking Tools
32. Hack Tools Download
33. Best Pentesting Tools 2018
34. Hack Tools For Mac
35. Pentest Tools Linux
36. Tools 4 Hack
37. Pentest Automation Tools
38. How To Make Hacking Tools
39. Hackers Toolbox
40. Pentest Tools For Android
41. Computer Hacker
42. Hacking Tools 2019
43. Hack Tools
44. How To Hack
45. Hacking Tools Hardware
46. Hacker Tools 2019
47. Usb Pentest Tools
48. Hacking Tools For Beginners
49. Hack Tools For Games
50. Pentest Tools List
51. Pentest Recon Tools
52. Install Pentest Tools Ubuntu
53. Bluetooth Hacking Tools Kali
54. Hacker Tools Software
55. Hacking Tools Pc
56. Hacking Tools Online
57. Hack Tools For Games
58. Nsa Hacker Tools
59. Pentest Tools Port Scanner
60. Hack Tool Apk
61. Hack Tools For Pc
62. Hacking Tools Kit
63. Tools 4 Hack
64. Hack Rom Tools
65. Hacking Tools
66. Pentest Tools List
67. Hacking Tools Usb
68. Hacks And Tools
69. Install Pentest Tools Ubuntu
70. What Is Hacking Tools
71. Tools 4 Hack
72. Pentest Tools Apk
73. Growth Hacker Tools
74. Hack Tools For Ubuntu
75. How To Hack
76. Nsa Hack Tools Download
77. Hack Tools For Ubuntu
78. Hacker Tools Mac
79. Hack Tools For Ubuntu
80. Pentest Tools Linux
81. Pentest Recon Tools
82. Growth Hacker Tools
83. Hack Tool Apk No Root
84. Beginner Hacker Tools
85. Hacker Tools Online
86. Hacking Tools For Pc
87. Hackrf Tools
88. Pentest Tools Apk
89. Pentest Tools Nmap
90. Hacking Tools Windows
91. How To Install Pentest Tools In Ubuntu
92. Hacking Tools For Kali Linux
93. Hack Apps
94. Pentest Tools List
95. Hacking Tools Usb
96. How To Install Pentest Tools In Ubuntu
97. Hacks And Tools
98. Hack And Tools