DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

• DNS cache poisoning the DNS server, "Da Old way"
• DNS cache poisoning, "Da Kaminsky way"
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

• Rogue DNS server set via malware
• Having access to the DNS admin panel and rewriting the IP
• ISP hijack, for advertisement or spying purposes
• Captive portals
• Pentester hijacks DNS to test application via active man-in-the-middle
• Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":

1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
2. Don't let malware run on your system! ;-)
3. Use at least two-factor authentication for admin access of your DNS admin panel.
4. Use a registry lock (details in part 1).
5. Use a DNSSEC aware OS.
6. Use DNSSEC protected websites.
7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

• Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
• Did you know DNSSEC was first deployed at the root level on July 15, 2010?
• Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
• Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
• Did you know that you can also use and test that cool DNSSEC validator?
• Did you know that there are alternative solutions like DNSCrypt?
• Did you know that in the future you might be able to enforce HSTS via DNSSEC?
• Did you know that in the future you might be able to use certificate pinning via DNSSEC?

That's all folks, happy DNSSEC configuring ;-)

Note from David:

Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related links

1. Hacking Tools For Mac
2. Pentest Tools Website Vulnerability
3. Pentest Tools Kali Linux
4. Hack Tools 2019
5. How To Hack
6. Hacking Tools Pc
7. Hacking Tools Pc
8. Hackers Toolbox
9. Pentest Tools Website
10. Nsa Hack Tools
11. Pentest Tools For Android
12. Pentest Tools
13. Hacking Tools For Windows
14. Pentest Tools Url Fuzzer
15. Hacking Tools For Mac
16. Nsa Hacker Tools
17. Pentest Tools Url Fuzzer
18. Pentest Tools For Windows
19. Hacker Tools For Pc
20. Hacker Tools Apk
21. Hacker Tools Online
22. Install Pentest Tools Ubuntu
23. Pentest Recon Tools
24. Pentest Box Tools Download
25. Hack Website Online Tool
26. Pentest Tools Free
27. Hacking Tools 2019
28. Pentest Tools Open Source
29. Pentest Tools For Android
30. Hacking Tools Name
31. Best Pentesting Tools 2018
32. Tools 4 Hack
33. Hak5 Tools
34. Pentest Tools Subdomain
35. Bluetooth Hacking Tools Kali
36. Pentest Tools Find Subdomains
37. Tools Used For Hacking
38. Pentest Tools Github
39. What Are Hacking Tools
40. Hacking Tools Software
41. Install Pentest Tools Ubuntu
42. Github Hacking Tools
43. Hack Tools For Pc
44. Pentest Tools Android
45. Hacking Tools For Pc
46. Hack Tools
47. Hacking Tools Usb
48. Easy Hack Tools
49. Best Hacking Tools 2019
50. Hack And Tools
51. What Are Hacking Tools
52. Hacking App
53. Pentest Tools Website Vulnerability
54. Pentest Automation Tools
55. Hacking Tools Mac
56. Tools Used For Hacking
57. World No 1 Hacker Software
58. World No 1 Hacker Software
59. Beginner Hacker Tools
60. Pentest Tools Windows
61. Hacker Tools For Ios
62. Best Pentesting Tools 2018
63. Pentest Reporting Tools
64. Hack Tool Apk No Root
65. World No 1 Hacker Software
66. Hack Tool Apk
67. World No 1 Hacker Software
68. Install Pentest Tools Ubuntu
69. Hack Tools 2019
70. Hacking Tools And Software
71. Best Pentesting Tools 2018
72. Pentest Tools Website Vulnerability
73. Pentest Tools For Android
74. Hacker Tools Windows
75. Nsa Hacker Tools
76. Hacking Tools Name
77. Hacking Tools For Mac
78. Top Pentest Tools
79. Hacking Tools For Windows
80. Hack Tools 2019
81. Usb Pentest Tools
82. Beginner Hacker Tools
83. Hacking Tools Github
84. Pentest Tools Alternative
85. Blackhat Hacker Tools
86. Hacking Tools Windows 10
87. Hacker Tools For Windows