In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
More info- Hack And Tools
- New Hacker Tools
- Hack Tools Pc
- Hack Tools For Mac
- Hacker Techniques Tools And Incident Handling
- Hack Tools For Mac
- Pentest Tools Tcp Port Scanner
- Pentest Tools Subdomain
- Hacker Tools Mac
- Pentest Tools Nmap
- Pentest Tools Windows
- Hacker Tools Mac
- Hacker Techniques Tools And Incident Handling
- Hacker Tools Online
- Pentest Tools Nmap
- Hack Tool Apk No Root
- Hacking Tools Github
- Hacker Tools
- Hacker Tools List
- Pentest Tools Bluekeep
- How To Hack
- Kik Hack Tools
- Kik Hack Tools
- Pentest Tools Framework
- Top Pentest Tools
- Pentest Tools Free
- Hacker Tools For Mac
- Hacker Tool Kit
- Hacking Tools For Windows Free Download
- Nsa Hacker Tools
- Hack And Tools
- Termux Hacking Tools 2019
- Hacker Tools Apk
- Hacking Tools For Games
- Hacking Tools
- Hak5 Tools
- Underground Hacker Sites
- Hacker Tools Apk
- Pentest Tools Online
- Hacking Tools Hardware
- Hack Rom Tools
- Tools Used For Hacking
- Hacking Apps
- Blackhat Hacker Tools
- Nsa Hack Tools
- Kik Hack Tools
- Pentest Tools Find Subdomains
- Pentest Tools Subdomain
- Hacking Tools Windows 10
- Hacking Tools For Windows Free Download
- What Is Hacking Tools
- Pentest Tools Website
- How To Hack
- Github Hacking Tools
- Hacking Tools Download
- Underground Hacker Sites
- Physical Pentest Tools
- Pentest Tools Website
- Hacker Tools 2019
- Hacker Tools Hardware
- Hack And Tools
- Hacker Tool Kit
- Hack App
- Hack Tools For Ubuntu
- Hack Tools Online
- Pentest Tools For Android
- Pentest Tools Download
- Bluetooth Hacking Tools Kali
- Hacking Tools Software
- Hak5 Tools
- Hacker Techniques Tools And Incident Handling
- Tools For Hacker
- Pentest Tools Website
- World No 1 Hacker Software
- Top Pentest Tools
- Kik Hack Tools
- How To Make Hacking Tools
- Pentest Box Tools Download
- Hack Tools For Pc
- Growth Hacker Tools
- Hacking Tools For Windows 7
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Website Vulnerability
- What Is Hacking Tools
- Underground Hacker Sites
- How To Make Hacking Tools
- Hacking Tools Kit
- Ethical Hacker Tools
- Hacker Tools Free Download
- Hacker Techniques Tools And Incident Handling
- Hack Tools Download
- Pentest Tools
- Tools 4 Hack
- Best Hacking Tools 2019
- Nsa Hacker Tools
- Pentest Tools List
- Pentest Tools For Ubuntu
- Physical Pentest Tools
- Hacking Tools For Windows Free Download
- Pentest Tools For Ubuntu
- Hack Tool Apk No Root
- Hacker Tools Software
- Hacking Tools Online
- Hacking Tools 2020
- Hacker Search Tools
- Pentest Tools Url Fuzzer
- Tools For Hacker
- Pentest Tools Bluekeep
- Hacker Security Tools
- Easy Hack Tools
- Hacking Tools For Windows Free Download
- Pentest Tools Open Source
- Pentest Tools List
- Github Hacking Tools
- Pentest Tools Apk
- Free Pentest Tools For Windows
- Hack Tools Pc
- Hacker Tools Linux
- How To Make Hacking Tools
- Hacker Tools Linux
- Hacker Tools 2019
- Hack Rom Tools
- Computer Hacker
- Pentest Tools For Windows
- Hackrf Tools
- Hacker Tools List
- Hack Tools For Games
No comments:
Post a Comment