platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.
First slide label
Some representative placeholder content for the first slide.
Second slide label
Some representative placeholder content for the second slide.
Third slide label
Some representative placeholder content for the third slide.
DNSSEC, from an end-user perspective, part 3
published on 2014-01-25 12:47:00 UTC by Z Content:
In the first post of this DNSSEC series, I have shown the problem (DNS vulnerabilities), and in the second post, the "solution." In this third post, I am going to analyze DNSSEC. Can DNSSEC protect the users against all of the attacks? Or just part of them? What about corner cases?
The following list are the attack types from the first post, where DNSSEC can protect the users:
Pentester hijacks DNS to test application via active man-in-the-middle
Malicious attacker hijacks DNS via active MITM
The following list are the attack types from the first post, where DNSSEC cannot protect the users:
Rogue DNS server set via malware
Having access to the DNS admin panel and rewriting the IP
ISP hijack, for advertisement or spying purposes
Captive portals
Pentester hijacks DNS to test application via active man-in-the-middle
Malicious attacker hijacks DNS via active MITM
If you are a reader who thinks while reading, you might say "What the hell? Am I protected or not???". The problem is that it depends… In the case where the attacker is between you and your DNS server, the attacker can impersonate the DNS server, downgrade it to a non DNSSEC aware one, and send responses without DNSSEC information.
Now, how can I protect against all of these attacks? Answer is "simple":
Configure your own DNSSEC aware server on your localhost, and use that as a resolver. This is pretty easy, even I was able to do it using tutorials.
Don't let malware run on your system! ;-)
Use at least two-factor authentication for admin access of your DNS admin panel.
There is a need for an API or something, where the client can enforce DNSSEC protected answers. In case the answer is not protected with DNSSEC, the connection can not be established.
Now some random facts, thoughts, solutions around DNSSEC:
Did you know .SE signed its zone with DNSSEC in September 2005, as the first TLD in the world?
Did you know DNSSEC was first deployed at the root level on July 15, 2010?
Huh, I have just accidentally deleted this whole post from Z, but then I got it back from my browsing cache. Big up to Nir Sofer for his ChromeCacheView tool! Saved my ass from kickin'! :D