In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related word- Black Hat Hacker Tools
- Nsa Hack Tools Download
- Hacking Tools Online
- Pentest Tools Website Vulnerability
- Hacking Tools Name
- Hacking Tools Free Download
- Hacking Tools For Mac
- Android Hack Tools Github
- Free Pentest Tools For Windows
- Hacker Tools For Windows
- Hacking Tools Name
- Hacker Tools Free
- New Hacker Tools
- Pentest Tools For Ubuntu
- Hack Website Online Tool
- Wifi Hacker Tools For Windows
- Hack Tools For Windows
- Hacker Tools Online
- Hak5 Tools
- Hacking Tools And Software
- Bluetooth Hacking Tools Kali
- Hack Website Online Tool
- Tools 4 Hack
- Pentest Tools Linux
- Pentest Tools For Android
- Github Hacking Tools
- Hack And Tools
- Hack Tools
- Hack Tools Online
- Hacker Tools Github
- Tools For Hacker
- Hacker Tools 2019
- Hack And Tools
- Hacker Security Tools
- Hack Tools For Mac
- Hacking Apps
- New Hacker Tools
- Hacking Tools Github
- Blackhat Hacker Tools
- Hack Website Online Tool
- Hack Tools For Mac
- Pentest Tools Find Subdomains
- Hack Tools 2019
- Hacking Tools For Windows Free Download
- Pentest Tools Alternative
- Install Pentest Tools Ubuntu
- Hack Tools For Ubuntu
- Beginner Hacker Tools
- Hacker Tools Online
- Pentest Tools Framework
- Hacking Tools Hardware
- What Is Hacking Tools
- Hacker Tools Software
- How To Make Hacking Tools
- Wifi Hacker Tools For Windows
- Pentest Tools For Mac
- Hacker Techniques Tools And Incident Handling
- Usb Pentest Tools
- Hacker Tools For Ios
- Hacker Security Tools
- Pentest Tools Tcp Port Scanner
- Pentest Tools Free
- Hacker Tools Linux
- Hacking Tools Download
- Pentest Tools Online
- Pentest Tools Online
- Hack Tools For Games
- Hacking Tools Name
- Kik Hack Tools
- Pentest Tools Github
- Hacking Tools For Windows
- Hacker Tools Windows
- Hack Tools 2019
- What Are Hacking Tools
- Hacker Hardware Tools
- Pentest Tools Find Subdomains
- Hacker Tools Linux
- New Hacker Tools
- Hack Tools For Ubuntu
- Tools For Hacker
- Beginner Hacker Tools
- Pentest Tools Github
- Hacking Tools Windows 10
- Hacker Security Tools
- What Is Hacking Tools
- Android Hack Tools Github
- Pentest Tools Url Fuzzer
- Nsa Hacker Tools
- Pentest Tools Find Subdomains
- Hacker Tools Apk Download
- Pentest Automation Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Github
- Pentest Tools For Mac
- Pentest Tools Download
- Underground Hacker Sites
- Best Hacking Tools 2020
- Hacking Tools For Games
- Hacker Tools Software
- Hacker Hardware Tools
- Hacker Tools Github
- Hacker Tools Free
- Hack Tools Online
- Pentest Tools
- Pentest Box Tools Download
- Hackrf Tools
- Hacker Tools For Pc
- Hacker
- Pentest Tools List
- Pentest Tools Windows
- World No 1 Hacker Software
- Hacking Tools 2019
- Hack Tools
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Windows 10
- Hacker Tools 2019
- Hack Tool Apk
- Hack Tool Apk
- New Hack Tools
- Hacking Tools Mac
- Hacker Tools Online
- Hack Tool Apk No Root
- Pentest Automation Tools
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Github
- Pentest Tools Tcp Port Scanner
- Pentest Tools Review
- Pentest Tools Nmap
- Hackrf Tools
- Pentest Tools Website
- Pentest Tools Framework
- Game Hacking