Thursday, January 25, 2024

DNSSEC, From An End-User Perspective, Part 3

In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?

The following list are the attack types from the first post, where DNSSEC can protect the users:

  • DNS cache poisoning the DNS server, "Da Old way"
  • DNS cache poisoning, "Da Kaminsky way"
  • ISP hijack, for advertisement or spying purposes
  • Captive portals
  • Pentester hijacks DNS to test application via active man-in-the-middle
  • Malicious attacker hijacks DNS via active MITM

The following list are the attack types from the first post, where DNSSEC cannot protect the users:

  • Rogue DNS server set via malware
  • Having access to the DNS admin panel and rewriting the IP
  • ISP hijack, for advertisement or spying purposes
  • Captive portals
  • Pentester hijacks DNS to test application via active man-in-the-middle
  • Malicious attacker hijacks DNS via active MITM

If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.

Now, how can I protect against all of these attacks? Answer is "simple":
  1. Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
  2. Don't let malware run on your system! ;-)
  3. Use at least two-factor authentication for admin access of your DNS admin panel.
  4. Use a registry lock (details in part 1).
  5. Use a DNSSEC aware OS.
  6. Use DNSSEC protected websites.
  7. There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.

Now some random facts, thoughts, solutions around DNSSEC:

That's all folks, happy DNSSEC configuring ;-)

Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D

Related word


  1. Pentest Tools List
  2. Best Pentesting Tools 2018
  3. Hacker Tools Mac
  4. Hacks And Tools
  5. Pentest Tools Review
  6. Hack Apps
  7. Pentest Tools Apk
  8. Hack Tools Mac
  9. Nsa Hack Tools Download
  10. Hacker Tools
  11. Pentest Tools Alternative
  12. Hack Rom Tools
  13. Hacking Tools For Pc
  14. Pentest Tools List
  15. Hacker Tools Hardware
  16. Hack Tool Apk
  17. Hack Tool Apk No Root
  18. Hacker Tools Apk
  19. Pentest Tools Open Source
  20. How To Hack
  21. Hacker Tools Online
  22. Hack Website Online Tool
  23. Pentest Automation Tools
  24. Hacking Tools For Windows
  25. Tools For Hacker
  26. Pentest Tools For Mac
  27. Pentest Tools Bluekeep
  28. Hack Tools For Ubuntu
  29. Hacker Tools Free
  30. Game Hacking
  31. Hacking Tools For Mac
  32. Hackrf Tools
  33. Tools Used For Hacking
  34. Hacker Tools
  35. Hacker Tools Online
  36. Hack Tools For Games
  37. Usb Pentest Tools
  38. Hacking Tools For Windows 7
  39. Hacker Tools
  40. Hacking Tools Windows
  41. Wifi Hacker Tools For Windows
  42. Free Pentest Tools For Windows
  43. Hacker Tools Hardware
  44. Hacking Tools Pc
  45. Pentest Tools Windows
  46. Pentest Tools For Mac
  47. Pentest Tools Nmap
  48. Pentest Tools Alternative
  49. Hack Tools Online
  50. Hacker Tools Apk
  51. Pentest Tools Kali Linux
  52. Hack Tools Github
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)