In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
- DNS cache poisoning the DNS server, "Da Old way"
- DNS cache poisoning, "Da Kaminsky way"
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
- Rogue DNS server set via malware
- Having access to the DNS admin panel and rewriting the IP
- ISP hijack, for advertisement or spying purposes
- Captive portals
- Pentester hijacks DNS to test application via active man-in-the-middle
- Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
- Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
- Don't let malware run on your system! ;-)
- Use at least two-factor authentication for admin access of your DNS admin panel.
- Use a registry lock (details in part 1).
- Use a DNSSEC aware OS.
- Use DNSSEC protected websites.
- There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
- Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
- Did you know DNSSEC was first deployed at the root level on July 15, 2010?
- Did you know .NL become the first TLD to pass 1 million DNSSEC-signed domain names?
- Did you know that Hungary is in the testing phase of DNSSEC (watch out, it is Hungarian)?
- Did you know that you can also use and test that cool DNSSEC validator?
- Did you know that there are alternative solutions like DNSCrypt?
- Did you know that in the future you might be able to enforce HSTS via DNSSEC?
- Did you know that in the future you might be able to use certificate pinning via DNSSEC?
Note from David:
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D
Related word- Tools For Hacker
- Hacking Tools Software
- Hacking Tools For Windows 7
- Hack Tools For Ubuntu
- Hack Rom Tools
- Pentest Tools Framework
- Hacker Tools Hardware
- Hacker Tools 2020
- Hack Tool Apk No Root
- Pentest Tools Windows
- Hacking Tools For Pc
- Pentest Recon Tools
- Hacking Tools Pc
- Nsa Hack Tools
- Pentest Tools Free
- Ethical Hacker Tools
- Pentest Tools List
- Hak5 Tools
- Underground Hacker Sites
- Hacker Tools List
- Pentest Tools Online
- Bluetooth Hacking Tools Kali
- Best Pentesting Tools 2018
- Hacking Tools For Windows Free Download
- Pentest Automation Tools
- Github Hacking Tools
- Pentest Tools Review
- How To Make Hacking Tools
- Hacking Tools Name
- Hacking Tools
- Hacking Apps
- Hack Tool Apk
- Nsa Hack Tools
- Hacker Tools For Windows
- Hack Tools Pc
- Pentest Tools Bluekeep
- Growth Hacker Tools
- Hacking Tools 2020
- Pentest Tools Kali Linux
- Pentest Tools Free
- Hacker Techniques Tools And Incident Handling
- Beginner Hacker Tools
- Hack Tools For Games
- Best Pentesting Tools 2018
- Hack Tools Github
- Hacking Tools For Beginners
- Termux Hacking Tools 2019
- Hack Tool Apk No Root
- Hacker Tools For Windows
- Hacking Tools 2020
- Easy Hack Tools
- Hacker Hardware Tools
- New Hacker Tools
- Usb Pentest Tools
- Hacker Tools 2020
- Ethical Hacker Tools
- Kik Hack Tools
- Hacking Tools Windows 10
- Pentest Tools Nmap
- Pentest Tools For Ubuntu
- Pentest Tools Download
- Hacking Tools Online
- Pentest Tools Download
- Beginner Hacker Tools
- World No 1 Hacker Software
- Hack Tools For Mac
- Android Hack Tools Github
- Hack Apps
- Black Hat Hacker Tools
- Pentest Box Tools Download
- Hack Tool Apk No Root
- Hacking Tools Github
- Pentest Recon Tools
- Hacker Tools Software
- Hack Tools
- Ethical Hacker Tools
- Hacking App
- Hack Tools Online
- What Is Hacking Tools
- Hacking Tools Pc
- Pentest Tools Github
- Hacker Tools For Windows
- Hacking Tools Kit
- Hack Tool Apk No Root
- Hacker Tools 2020
- Ethical Hacker Tools
- Hack Tools
- Pentest Tools Framework
- Best Pentesting Tools 2018
- Best Hacking Tools 2020
- Install Pentest Tools Ubuntu
- Ethical Hacker Tools
- Pentest Tools Subdomain
- Pentest Tools Kali Linux
- Hacking Tools Online
- Tools For Hacker
- Hacking Tools Usb
- Black Hat Hacker Tools
- Hackers Toolbox
- Pentest Tools Framework
- Hacking Tools Windows 10
- Usb Pentest Tools
- Pentest Tools For Ubuntu
- Best Pentesting Tools 2018
- Pentest Tools Android
- Pentest Tools Url Fuzzer
- Hacker Tools 2020
- Pentest Recon Tools
- Hacking Tools Free Download
- Growth Hacker Tools
- Pentest Tools Github
- What Is Hacking Tools
No hay comentarios:
Publicar un comentario