New DNS Attacks Make Use of DNSSEC More Critical Than Ever

https://outline.com/sCqK5t

1 Like

https://www.icann.org/news/announcement-2019-02-15-en

I like this tool to monitor my domains: https://github.com/tobez/validns

Edit: sorry posted the wrong one, I recently started using this one instead: https://github.com/pawal/dnssec-monitor

1 Like

cool tools, thanks for mention them!

1 Like

While I am all for DNSSEC, it doesn’t seem like it would help much in this case.

The CISA directive lists three steps that allow attackers to perform the hijacking. First, the attacker obtains credentials of an administrator that can change DNS records. This is done using techniques described here before, including phishing emails and social engineering.

Next, the attacker changes the DNS records, including the address, mail exchanger and name server records, replacing them with addresses controlled by the attacker where traffic aimed at that address can be examined or manipulated.

Shouldn’t the administrator be using multifactor authentication?

FWIW, if you use Google, Cloudflare, DNS.WATCH or Quad9 with Pi-Hole, you should have DNSSEC enabled.

Here is a DNSSEC tester tool:
http://dnssec.vs.uni-due.de/

1 Like

It doesn’t help when the change is done using valid credentials and thus gets signed though, or if MITM strips the DNSSEC data, but the page mentions dnssec-trigger which fixes it and partially so do dnscrypt-proxy/DoH/DoT. Systemd-resolved also has support for verifying DNSSEC, so I think the situation is improving.

1 Like