-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
60 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,73 @@ | ||
| # Secure DNS (DNSSEC) | ||
| # Exploring DNS: Security and Privacy Enhancements | ||
|
|
||
| DNSSEC (Domain Name System Security Extensions) is a set of security | ||
| extensions to the Domain Name System (DNS) protocol that provide | ||
| authentication of DNS data. DNSSEC is designed to protect Internet | ||
| applications from certain attacks, such as DNS cache poisoning, by | ||
| authenticating DNS data received from remote DNS servers. DNSSEC uses digital | ||
| signatures and public-key cryptography to authenticate DNS data and prevent | ||
| attackers from spoofing or tampering with DNS data. | ||
| The Domain Name System (DNS) is a hierarchical, decentralized naming system | ||
| for computers, services, or other resources connected to the Internet or a | ||
| private network. It associates various information with domain names | ||
| assigned to each of the participating entities. Most prominently, it | ||
| translates domain names into the numerical IP addresses needed for locating | ||
| and identifying computer services and devices. DNS is a critical part of | ||
| the Internet's functionality, but its default operation is vulnerable to | ||
| manipulation and privacy breaches. | ||
|
|
||
| In this exercise, you will explore two security enhancements for DNS: | ||
| 1. DNS over HTTPS (DoH) – aimed at improving privacy by encrypting DNS traffic. | ||
| 2. DNSSEC – aimed at improving security by authenticating DNS data. | ||
|
|
||
| ## Part 1: DNS over HTTPS (DoH) and DNS Traffic Analysis | ||
|
|
||
| In this section, you'll explore how DNS traffic can be encrypted using DNS | ||
| over HTTPS (DoH) and compare it with standard DNS traffic that is not | ||
| encrypted. | ||
|
|
||
| 1. **Capture DNS Traffic without Encryption** | ||
| a. Open your web browser and disable any encrypted DNS settings. For | ||
| example, in Firefox, navigate to **Settings > General > Network Settings** | ||
| and uncheck **Enable DNS over HTTPS**. | ||
| b. Open Wireshark and capture traffic on your active network interface. | ||
| c. Filter for DNS traffic by using the following display filter: dns | ||
| d. Visit a few websites in your browser and observe the DNS queries and | ||
| responses in the Wireshark capture. | ||
|
|
||
| *What do you notice about the information in these DNS packets? Is it | ||
| readable? What domains can you see in the clear?* | ||
|
|
||
| ## Part 1: DNSSEC Basics | ||
| 2. **Enable Encrypted DNS (DNS-over-HTTPS)** | ||
| a. Go back to your web browser and enable DNS over HTTPS (DoH). In Firefox, | ||
| navigate to **Settings > General > Network Settings** and check **Enable DNS | ||
| over HTTPS**. | ||
| b. Start a new Wireshark capture. | ||
| c. Use the same display filter as before: dns | ||
| d. Visit the same websites as in step 1 and observe the DNS traffic. | ||
| 3. **Compare the Results** | ||
| Compare the Wireshark captures from steps 1 and 2. | ||
|
|
||
| *What differences do you observe between the unencrypted DNS traffic and the | ||
| DNS-over-HTTPS traffic? Can you still see the domain names or query details in | ||
| the clear? How does encryption affect the visibility of DNS information?* | ||
|
|
||
| ## Part 2: DNSSEC (Domain Name System Security Extensions) | ||
|
|
||
| DNSSEC (Domain Name System Security Extensions) is a set of security | ||
| extensions to the DNS protocol that provides authentication of DNS data. | ||
| DNSSEC is designed to protect Internet applications from certain attacks, such | ||
| as DNS cache poisoning, by authenticating DNS data received from remote DNS | ||
| servers. DNSSEC uses digital signatures and public-key cryptography to | ||
| authenticate DNS data and prevent attackers from spoofing or tampering with | ||
| DNS data. | ||
|
|
||
| **Explore DNSSEC-enabled Domains** | ||
| Some domains have deployed DNSSEC records to allow clients to validate the | ||
| records that it returns. | ||
| records that are returned. | ||
|
|
||
| The `RRSIG` record includes a signature of the DNS record that is being | ||
| returned with the query. The signature is signed by the DNSKEY of the | ||
| returned with the query. The signature is signed by the DNSKEY of the | ||
| authoritative name server returning the record (or referral). | ||
|
|
||
| Explore some domains to see if DNSSEC records deployed. The following commands | ||
| may be useful: | ||
| Explore some domains to see if DNSSEC records are deployed. The following | ||
| commands may be useful: | ||
| - `dig any` | ||
| - `dig +dnssec rrsig` | ||
|
|
||
| ## Part 2: Discussion | ||
|
|
||
| **Discussion** | ||
| DNS can still be manipulated even if records are signed. Where is the root of | ||
| trust, and how might that be manipulated? |