In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related links
- Hacking Tools And Software
- Game Hacking
- Hack Tools For Ubuntu
- Hacker Hardware Tools
- Game Hacking
- Hacking Tools Hardware
- Nsa Hacker Tools
- Hacker Tools 2020
- Hack Tools Pc
- Pentest Tools Url Fuzzer
- Hack App
- Hack Apps
- How To Make Hacking Tools
- Pentest Tools Online
- Android Hack Tools Github
- New Hacker Tools
- Pentest Tools Online
- Pentest Tools Alternative
- Hack And Tools
- Physical Pentest Tools
- Pentest Tools For Mac
- Pentest Tools Url Fuzzer
- Pentest Tools Alternative
- Hacking Tools For Pc
- Hacker
- Hacker Tools Linux
- What Is Hacking Tools
- Kik Hack Tools
- Hacker Tools Windows
- Pentest Tools For Windows
- Tools 4 Hack
- Hack Tools Online
- Tools For Hacker
- Hacking Tools For Pc
- Kik Hack Tools
- Pentest Automation Tools
- Hacking Tools 2019
- Pentest Tools Website Vulnerability
- Hacking Tools 2020
- Best Pentesting Tools 2018
- Blackhat Hacker Tools
- Pentest Tools Windows
- Pentest Tools Tcp Port Scanner
- Hack Tools For Ubuntu
- Hack Website Online Tool
- Pentest Tools Framework
- Hacker Tools Github
- Nsa Hack Tools Download
- Hacker Tools Online
- Termux Hacking Tools 2019
- Ethical Hacker Tools
- New Hacker Tools
- Pentest Tools Linux
- Top Pentest Tools
- Pentest Tools Tcp Port Scanner
- Hacker Tool Kit
- Hacker Tools Linux
- Hacker Tools Online
- Hacker Tools Free Download
- Hacking Tools For Windows 7
- Hack Tools 2019
- Kik Hack Tools
- Top Pentest Tools
- Pentest Reporting Tools
- Hacking Tools For Kali Linux
- Hack Tools Online
- Pentest Tools Bluekeep
- Pentest Tools Nmap
- How To Make Hacking Tools
- Termux Hacking Tools 2019
- Pentest Tools Alternative
- Pentest Box Tools Download
- Tools Used For Hacking
- Best Hacking Tools 2020
- Hacker Tools For Mac
- Hacking Tools For Games
- Pentest Tools Android
- Ethical Hacker Tools
- New Hack Tools
- Hacking Tools Usb
- Pentest Tools Tcp Port Scanner
- Computer Hacker
- Pentest Tools Tcp Port Scanner
- Hack Website Online Tool
- Bluetooth Hacking Tools Kali
- Pentest Tools Framework
- Beginner Hacker Tools
- Hacking Tools And Software
- Hacking Tools Online
- Hacker Tools Linux
- Hack Tools
- Pentest Tools Bluekeep
- Hacking Tools Free Download
- Hacking Tools
- Pentest Tools Apk
- Hack Tools Online
- Hacker Tools Free
- Bluetooth Hacking Tools Kali
- Pentest Reporting Tools
- World No 1 Hacker Software
- Usb Pentest Tools
- Hacking Tools Windows
- Hacker Security Tools
- Hack Apps
- Nsa Hacker Tools
- Tools Used For Hacking
- Hack Tools
- What Are Hacking Tools
- Usb Pentest Tools
- Pentest Tools Bluekeep
- Pentest Tools Website
- Hack Tools For Pc
- What Are Hacking Tools
- Hack Tools Download
- Install Pentest Tools Ubuntu
- Hack Tool Apk
- Pentest Tools For Windows
- Hacking Tools For Beginners
- Ethical Hacker Tools
- Computer Hacker
沒有留言:
發佈留言