In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
More articles
- Hack Tools For Pc
- Hacking Tools
- Pentest Tools Website
- Hacker
- Hacking App
- Pentest Tools Port Scanner
- Hacker Tools Mac
- Tools Used For Hacking
- Bluetooth Hacking Tools Kali
- Hacking Apps
- Hacking Tools Kit
- Hack Tools Online
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Hardware
- Hacker Tools For Windows
- Pentest Tools Review
- Pentest Automation Tools
- Hacking Tools Software
- Hacker Tools Free
- Beginner Hacker Tools
- Hacking Tools For Beginners
- Hack Tool Apk
- Hack Tools For Ubuntu
- Pentest Tools For Windows
- Black Hat Hacker Tools
- Pentest Tools Linux
- Best Hacking Tools 2020
- Hacker Hardware Tools
- Hacking Tools Software
- Hack Tools For Mac
- Free Pentest Tools For Windows
- What Is Hacking Tools
- Pentest Recon Tools
- Usb Pentest Tools
- Pentest Tools List
- Hacking Tools For Windows Free Download
- Pentest Tools Review
- Hacker Techniques Tools And Incident Handling
- What Is Hacking Tools
- Pentest Automation Tools
- Pentest Tools Subdomain
- Hacking Tools For Games
- Hacker Tools Mac
- Hack Tools
- Hacker Tools Hardware
- Pentest Tools Website Vulnerability
- Pentest Tools Windows
- Hacking Tools For Kali Linux
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Download
- Hacker Tools Free
- Beginner Hacker Tools
- Pentest Tools Linux
- Hacker Tools For Windows
- Hack Tools For Windows
- Game Hacking
- Beginner Hacker Tools
- Hacker Tools 2020
- Hack Tools Online
- Hacking Tools Windows 10
- Hacker Tools For Ios
- Hacking Tools 2020
- Pentest Tools Nmap
- Growth Hacker Tools
- Hacking Tools Name
- Hacker Tools Online
- Pentest Tools Free
- Underground Hacker Sites
- Pentest Tools
- Hack Tools For Pc
- Hack Apps
- Pentest Tools Linux
- Pentest Recon Tools
- Pentest Tools List
- Hacker Security Tools
- Pentest Tools Kali Linux
- Pentest Tools Find Subdomains
- Hacking Tools 2019
- Hacker Tools For Ios
- Hacker Tools Software
- Pentest Tools Windows
- Hacker Tools Github
- Hacker Tools Free
- Free Pentest Tools For Windows
- Hacking Tools Pc
- Hacking Tools For Games
- Termux Hacking Tools 2019
- Hacking Tools For Games
- Pentest Tools Alternative
- How To Install Pentest Tools In Ubuntu
- Hack Tools For Windows
- Hacker Tools Windows
- Hack Tools Download
- Hacking Tools Usb
- Pentest Tools Website
- Hacker Search Tools
- Hack Tools Github
- Hack Tool Apk No Root
- Hack Tools For Pc
- Hacker Tools
- Hack Tools For Windows
- Hacker Hardware Tools
- Hacker Tools For Mac
- Hacking App
- Hacker Techniques Tools And Incident Handling
- Beginner Hacker Tools
- Computer Hacker
- Hacker Tools Online
- Pentest Tools Subdomain
- Pentest Tools For Ubuntu
- Hacking Tools Windows
- Hacking Tools For Mac
- Hacking Tools Windows
- Hack Tool Apk
- Blackhat Hacker Tools
- Hacking Tools For Kali Linux
- New Hacker Tools
- Hacking Tools Online
- Hacks And Tools
- Hack Rom Tools
- Pentest Box Tools Download
- Pentest Tools Tcp Port Scanner
- Hak5 Tools
- Hacking Tools For Games
No hay comentarios:
Publicar un comentario