In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related articles
- Pentest Tools Review
- Pentest Tools Alternative
- Hacker Tools For Ios
- Hack Website Online Tool
- World No 1 Hacker Software
- Hacking Tools Kit
- Pentest Tools Framework
- Hacker Tools For Mac
- Hack And Tools
- Hacking Tools Usb
- Hacker Tools Hardware
- Free Pentest Tools For Windows
- Underground Hacker Sites
- Pentest Tools Windows
- Hacking Tools Github
- Hack Tool Apk No Root
- World No 1 Hacker Software
- Hacker
- Hackers Toolbox
- Pentest Recon Tools
- Hacking Tools Hardware
- Termux Hacking Tools 2019
- Pentest Tools Apk
- Tools For Hacker
- Pentest Tools Subdomain
- Hack Tools
- Nsa Hack Tools Download
- Hackers Toolbox
- Pentest Recon Tools
- Hacking Tools Windows
- Pentest Tools For Ubuntu
- Android Hack Tools Github
- World No 1 Hacker Software
- Pentest Tools Find Subdomains
- Hacker Tools
- Pentest Tools Find Subdomains
- Hacker Tool Kit
- Hacker Tools Apk
- Android Hack Tools Github
- Hacker Tools Apk Download
- Nsa Hack Tools
- Computer Hacker
- Pentest Tools Port Scanner
- Hack Tools Pc
- Hacking Tools For Games
- Best Hacking Tools 2020
- Pentest Tools Website
- Hacking Tools Hardware
- Pentest Tools Github
- Computer Hacker
- Pentest Tools Android
- Hacking Tools Windows 10
- Hacking Tools Name
- Hack Tool Apk No Root
- Hacking Tools Free Download
- Hacking Tools Kit
- Hacker Tools Software
- Usb Pentest Tools
- New Hack Tools
- Hacker Tools Apk
- Hacking Tools
- Hacking Tools For Games
- Hacker Tools Apk Download
- Hacker Tools Online
- Hacker Tool Kit
- Wifi Hacker Tools For Windows
- Pentest Tools Github
- Nsa Hacker Tools
- Hack Tool Apk No Root
- Hacking Tools Github
- Hack Tool Apk No Root
- Hacking Tools For Windows
- Hacking App
- Hack Tools For Windows
- How To Make Hacking Tools
- Top Pentest Tools
- Hacking Tools For Games
- Nsa Hack Tools Download
- Hacking Apps
- Hacker Tools Linux
- Hacker Tools Linux
- Pentest Tools Tcp Port Scanner
- Kik Hack Tools
- Hacker Tools Online
- Best Pentesting Tools 2018
- Hacker Techniques Tools And Incident Handling
- Best Hacking Tools 2019
- Pentest Tools Open Source
- Hacking Tools Download
- Pentest Automation Tools
- Hacker Tools 2020
- Pentest Tools Subdomain
- Hacking Tools Free Download
- Android Hack Tools Github
- Hack Tools Github
- Underground Hacker Sites
- Hacker Tools Apk
- Pentest Reporting Tools
- Kik Hack Tools
- Hacker Tools
- Hack Tools
- Hacking Tools Hardware
- Hacker Tools Apk
- Pentest Box Tools Download
- Hacking Tools Windows 10
- Hack Tools For Mac
- Hacker Tools 2020
- Hacking Tools 2019
- Pentest Tools Windows
- Pentest Tools Website Vulnerability
- Hacking Tools Kit
- Pentest Tools For Android
- Best Hacking Tools 2020
- Pentest Tools Android
- Hacking Tools Mac
- Hacking Tools Download
- Pentest Tools Kali Linux
- Hacking Tools Name
- Pentest Tools Apk
- Hacker Tools Apk Download
0 comments:
Post a Comment