DNSSEC Resolvers and Browser Validation
-
DNS Hijacking has become a more common tool in the hacking bag of tricks, and your OS and Browsers tend not to let you know where the site names are being fetched from.
Many people swap their DNS resolver from automatic (your ISP) to Google 8.8.8.8 and 8.8.4.4. to improve their speed of fetching Domain names, but often they are not as fast as ones situated closer to you.
Google does use DNSSEC, but you can also be sure that Google are logging DNS requests.Normal DNS lookups are not encrypted or validated, so can be read and changed during the trip between you and the DNS.
DNSSEC and DNSCrypt together add validation and encryption.You must have a DNSSEC resolver set as your DNS for each network device you are connecting to the "internet" with, not a network "Intranet".
You can either use DNSBenchmark to find your fastest/closest DNS with DNSSEC, and manually add 2 or more to the network config.
https://www.grc.com/dns/benchmark.htm (Windows)
REFERENCE
http://www.dnssec.net
https://technet.microsoft.com/library/jj200221(v=ws.11).aspx
https://wikipedia.org/wiki/Domain_Name_System_Security_ExtensionsPreferably install the DNSCrypt proxy and pick the closest OpenDNS to you that shows "DNSSEC enabled" and "No-logging".
Currently there are over 100 DNS to choose from.
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
(Linux, Windows, MacOS, Android, iOS, Routers with custom ROM ability)
Reference and Downloads
https://dnscrypt.org
https://www.opendns.com/about/innovations/dnscrypt/
(Yandex browser now has DNSCrypt built-in. Demand the same for Vivaldi)Unfortunately many sites using HTTPS are not configured to use DNSSEC validation.
DNSSEC/TLSA Validator browser extension will check for the existence and validity of DNSSEC signed DNS records of any HTTPS site you visit.
Alternative DNS can be added in the extension for comparisons.
https://www.dnssec-validator.cz
(Chromium, Firefox, Internet Explorer, Safari) -
DNSSEC Name and Shame
Together with the validation extension posted above, you may want to be more vocal about the lack of DNS spoofing protection on almost all HTTPS sites.
Also if like me you were starting to wonder if the extension works.
In either case, head over to "DNSSEC Name and Shame", where you can test any suspect site, and look at a list of correctly configured sites next to the top 25 most visited sites and their status (scary).https://dnssec-name-and-shame.com
Nope, sadly Vivaldi domains are not protected from DNS spoofing/poisoning...
https://dnssec-name-and-shame.com/domain/downloads.vivaldi.com....but this is not abnormal, it is unfortunately the standard.
https://dnssec-name-and-shame.com/domain/accounts.google.com -
Yes this is the unfortunate situation. Just like all the other now standard security features of the net, nobody uses them until the option is no longer an option, or a disaster happened.
When you look at the small list of correctly configured sites, one company stands out as being rather important, and that is Verisign.
Yes, it would seem to be a good idea that a site that serves certificates has some ability to protect itself against spoofing.As more and more attacks are aimed at the network infrastructure (inside and outside the home), rather than just hacking a site or PC, we may get to a point when even EV certificates cannot be trusted for authentication because you cannot tell if the domain is real or faked.
Users can opt for a DNSSEC resolver, but like you said nobody knows or cares about it so usually only accidentally have it, eg. if they swapped to a Google DNS.
People never care about something they don't know.Privacy via HTTPS sites is made weaker if your requests for domains are not als encrypted with DNSSEC.
DNSCrypt is an extra feature that authenticates the DNS you use because a DNS can also be spoofed.
Sites should also use encryption and authentication when talking to DNS, or yet again the privacy is borked and it is possible to do a man in the middle attack.
Any site that serves an Operating System image or web browsers needs to be sure their downloads are not exchanged for something else.As far as I know only 1 web browser comes with DNS spoofing protection, or at least it is the first to feature built-in DNSCrypt support.
Yandex. another chromium based project.
Shame most Vivaldi users are not as concerned about fake sites as they are about syncing and fancy icons.I still use Firefox for trustability over other browsers due to the extensions available that Google do not allow.
Calomel lets you know if an otherwise good certificate is weak, and can override the browser security.
Perspectives checks the certificates of sites you visit against historical data from many geographically separate servers, so you can see if the "good" certificate you see is different than the one everyone else sees, and it can override the browser security settings.
HTTPS Everywhere for FF has extra features such as sending the certificate to the EFF observatory and options for overriding the browser security and encryption.
(spot the thing that Google don't allow)Alternatively/additionally you could use an extension that does reverse DNS checks of all the sites you visit and pops up warnings if the domain does not match the registered IPs, but in an era of CDNs will show a lot of false-positives, so is best used by someone that knows what they are seeing.
-
-