In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related articles
- Wifi Hacker Tools For Windows
- Free Pentest Tools For Windows
- Tools Used For Hacking
- Hacker Tools For Ios
- Hacker Tools Windows
- Hacker Hardware Tools
- Easy Hack Tools
- Pentest Tools Review
- Pentest Tools Find Subdomains
- Beginner Hacker Tools
- Pentest Tools Find Subdomains
- Hacking Tools For Pc
- Pentest Tools Apk
- Nsa Hacker Tools
- Pentest Tools Linux
- What Are Hacking Tools
- Tools 4 Hack
- Hack Tools Mac
- Hacker Tools Software
- Hacker Tools For Mac
- Hacker Tools For Ios
- Pentest Tools Download
- Tools 4 Hack
- Hacking Tools And Software
- Hacking Tools And Software
- Hacker Tools Mac
- Pentest Tools Kali Linux
- Ethical Hacker Tools
- Nsa Hack Tools Download
- Hacker Security Tools
- Pentest Tools Port Scanner
- Nsa Hacker Tools
- Pentest Box Tools Download
- Pentest Tools Review
- Hacking Apps
- Hacker Tools 2019
- Hacker Tools For Windows
- Hacker Tool Kit
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Github
- Hak5 Tools
- Ethical Hacker Tools
- Pentest Tools Bluekeep
- Pentest Recon Tools
- Pentest Tools Tcp Port Scanner
- Usb Pentest Tools
- Hacking Tools Hardware
- Hacking Tools
- Computer Hacker
- Pentest Tools Website
- Pentest Tools Github
- Hack Tools Online
- Hacker Tools
- Hack Tools Pc
- Hacking Tools Name
- Hack Tools Download
- Hacking Tools Windows
- Free Pentest Tools For Windows
- Pentest Tools Open Source
- Hacker Hardware Tools
- Pentest Tools Framework
- Hacking Tools Online
- Hack Tools Mac
- Hack Tools Download
- Underground Hacker Sites
- Github Hacking Tools
- Hacker Tools Software
- Pentest Tools Website Vulnerability
- Hack Tool Apk
- Tools 4 Hack
- Hacker Tools For Pc
- Hackrf Tools
- Pentest Tools Github
- Blackhat Hacker Tools
- Pentest Tools Android
- Hack And Tools
- How To Hack
- Hacker Tools For Ios
- Hack Tools Pc
- Hacking Tools For Kali Linux
- Hacker Tools Online
- Hack Tool Apk No Root
- What Is Hacking Tools
- Hacking Tools Windows 10
- Free Pentest Tools For Windows
- Hacker Tools For Pc
- Hacking Tools For Mac
- Pentest Tools Find Subdomains
- Blackhat Hacker Tools
- Hacking Tools Name
- Hacker Tools Apk
- Hack Tools Online
- Black Hat Hacker Tools
- Hacker Tools Software
- Hack Tools For Windows
- Hacking Tools For Windows Free Download
- Hack Tools Online
- Hacker Tools Windows
- Pentest Tools For Android
- Kik Hack Tools
- Pentest Tools Find Subdomains
- Pentest Tools Nmap
- Top Pentest Tools
- What Is Hacking Tools
- Pentest Tools Alternative
- Hack Tools
- Termux Hacking Tools 2019
- New Hacker Tools
- Hacker Tools For Mac
- Hack Website Online Tool
- Hack Apps
- Hack Rom Tools
- Hacking Tools Free Download
- Hacking Tools For Games
- Pentest Tools Subdomain
- Hackrf Tools
- Hacking Tools Usb
- Pentest Tools For Android
- Best Hacking Tools 2020
- Pentest Tools Nmap
- Hacking Tools For Mac
- Hacker Search Tools
- Hack Tools For Pc
- Pentest Tools Nmap
- Pentest Tools For Mac
- Hacking Tools Windows 10
- Pentest Tools
Tidak ada komentar:
Posting Komentar