DNSSEC can easily be spoofed?

dnssec

I want to know the purpose of DNSSEC, what problem does it really try to solve? I think DNSSEC can easily be spoofed by inserting a non-DNSSEC DNS server into the network that serves a non-DNSSEC copy of the zone. But maybe that is not the problem that DNSSEC tries to solve?

With DNSSEC, DNS servers use public private key encryption to sign and check each others' zones. This may help for instance against DNS cache poisoning. Data gets added to the cache only after the signature of the DNS reponse is checked.

Nice.

But how do clients verify they are using DNS secured by DNSSEC? If you try to prevent DNS cache poisoning but not preventing DNS server insertion, is DNSSEC even worth the trouble?

I have a domain that is fully protected by DNSSEC according to https://dnssec-analyzer.verisignlabs.com/. In my company DNS (or restaurant wifi) I added a copy of this domain (or 'zone') to the network DNS server. This local DNS zone is NOT using DNSSEC. The clients in the company network (or restaurant wifi) are instructed to use the company DNS by the company DHCP server. Now if I change records in the copied zone on the company DNS, the clients simply follow these changes without warnings or complaints. The end users may believe they are safe because they have read in the documentation that my zone is protected by DNSSEC, but in reality they are using a spoofed zone on my company network (or the restaurant wifi) and the are not protected at all?


Solution 1:

DNSSEC allows you to ensure that the DNS data that you receive is unchanged compared to what the domain-owner published (for signed zones). This validation can be done at any stage in the querying path.

For this to work from the client point of view, you would ideally validate locally (not that common today but far from unheard of) or have a secure network path that can bridge the gap to a trusted validating resolver.
This secure network path could mean DNS-over-TLS, DNS-over-HTTPS, DNSCrypt or to some extent also a local network that you can at least somewhat trust (weaker, but still useful for a subset of attack scenarios).

Related

Can't grow XFS file system on Amazon EC2: xfs_growfs: / is not a mounted XFS filesystem
What tools do you use to manage your Linux Server?
Do I need Openstack's keypair and cloud-init's ssh_authorized_keys together?
How to stop requests on PHP server while it is running cron job sheduled PHP script?
Thunderbird won't connect to Dovecot server
Upstart script which restarts service when file is created
Windows 10 DNS caching oddity, can someone explain how this can happen?
Is using [intptr]::Size to check 32bits vs 64bits relevant?
Multiple long running mysqld processes
Can't set up Let's Encrypt certificate with Apache 2.4, "invalid response" according to Chrome
SSL certificate(s) for one domain and one subdomain
Change value of only selected Select dropdown in React