Friday, 26 January 2024

DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

  • DNS cache poisoning the DNS server, "Da Old way"
  • DNS cache poisoning, "Da Kaminsky way"
  • ISP hijack, for advertisement or spying purposes
  • Captive portals
  • Pentester hijacks DNS to test application via active man-in-the-middle
  • Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

  • Rogue DNS server set via malware
  • Having access to the DNS admin panel and rewriting the IP
  • ISP hijack, for advertisement or spying purposes
  • Captive portals
  • Pentester hijacks DNS to test application via active man-in-the-middle
  • Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":
  1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
  2. Don't let malware run on your system! ;-)
  3. Use at least two-factor authentication for admin access of your DNS admin panel.
  4. Use a registry lock (details in part 1).
  5. Use a DNSSEC aware OS.
  6. Use DNSSEC protected websites.
  7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

That's all folks, happy DNSSEC configuring ;-)

Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

More info


  1. Android Hack Tools Github
  2. Blackhat Hacker Tools
  3. Hacking App
  4. Pentest Tools Nmap
  5. Pentest Tools List
  6. Black Hat Hacker Tools
  7. Hacker Tools Online
  8. Hacks And Tools
  9. Hacker Tools Apk
  10. Termux Hacking Tools 2019
  11. Underground Hacker Sites
  12. Hack Tools Pc
  13. Pentest Tools Download
  14. Hacker Tools For Pc
  15. Pentest Tools Framework
  16. Hacking Tools For Windows
  17. Pentest Tools For Windows
  18. Pentest Tools Find Subdomains
  19. Best Hacking Tools 2020
  20. Hacking Tools Name
  21. Hacking Tools For Kali Linux
  22. What Are Hacking Tools
  23. Hacking Tools Hardware
  24. Tools Used For Hacking
  25. Hacking Apps
  26. Hacker
  27. Pentest Tools Port Scanner
  28. Hack And Tools
  29. Hacking Apps
  30. Pentest Tools Free
  31. Hacking Tools Software
  32. What Are Hacking Tools
  33. Wifi Hacker Tools For Windows
  34. Hacking Tools Usb
  35. Hacker Tools Github
  36. Hacker Tools Linux
  37. Hacking Tools For Games
  38. Pentest Tools For Mac
  39. Pentest Tools List
  40. Hacking App
  41. Hacker Tool Kit
  42. Hacking Tools For Windows 7
  43. How To Hack
  44. Hacking Tools
  45. Pentest Tools Bluekeep
  46. Ethical Hacker Tools
  47. What Is Hacking Tools
  48. Usb Pentest Tools
  49. Pentest Tools Kali Linux
  50. Hack And Tools
  51. Hack Tools
  52. Usb Pentest Tools
  53. Pentest Tools Website
  54. Pentest Tools Subdomain
  55. Hacking App
  56. Pentest Tools Download
  57. Pentest Tools Tcp Port Scanner
  58. Hacker Tools Online
  59. Hacker Hardware Tools
  60. How To Install Pentest Tools In Ubuntu
  61. Pentest Tools For Ubuntu
  62. Physical Pentest Tools
  63. Hacks And Tools
  64. Hacking Tools Name
  65. World No 1 Hacker Software
  66. Github Hacking Tools
  67. Hacker
  68. Hacking Tools For Mac

No comments:

Post a Comment