Questions tagged [dnssec]
Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS.
132
questions
2
votes
0
answers
95
views
Does DNSSEC prevent man-in-the-middle at all? [duplicate]
I just watched a video on DNS that explained that if there is a man-in-the-middle or if someone has taken over your resolver, DNSSEC can prevent the responses from being tampered with because the ...
0
votes
0
answers
139
views
Most likely route to hostile domain take-over?
Say a citizen-run journalist site is a target of a hostile government. The site is hosted over HTTPS in a different country, outside the government's reach. However, the site domain name is within ...
0
votes
0
answers
111
views
Understanding DNSSEC NSEC3 output for valid domain name
I am trying to understand NSEC3 record when querying for existing domain name, for NXDOMAIN I understand how it works. RFC has example about WildCard, NODATA & NXDOMAIN
So I fired these queries ...
8
votes
3
answers
2k
views
Is there a way to use DNS to block access to my domain?
I manage a few dozen servers that are publicly accessible and must remain so. I see very large volumes of malicious traffic on all of these servers. The malicious traffic starts as port scans (...
0
votes
1
answer
262
views
Since the DS recordset contains all of the child's Key Signing Key, wouldn't the DS recordset be massive and difficult to load for verification?
I'm learning about DNSSEC today but I don't quite understand about how a parent zone would store all of its child's Key Signing Keys (DNSKEY 257) in its DS record set.
As far as I understand, if I ...
4
votes
1
answer
486
views
How can I validate the root DNS key-signing-key on the command line?
Consider the following dig command and its truncated output:
dig . dnskey +dnssec +multi @a.root-servers.net
...
...
;; ANSWER SECTION:
. 172800 IN DNSKEY 257 3 8 (
...
4
votes
1
answer
7k
views
Secure DNS (DoH, DoT) differences, performance, comparison
I am reading up on secure DNS (DoH, DoT) and trying to identify its differences. Currently, I am on https://www.cloudflare.com/learning/dns/dns-over-tls/ page.
Is there for example some non-...
0
votes
0
answers
174
views
How to properly handle DNSKEY delegation across DNS zones?
I'm trying to implement a toy project DNSSEC supported DNS resolver to learn about both DNS and DNSSEC.
Most of my implementation are finished. But for some domains it's not working correctly, and I ...
2
votes
1
answer
127
views
How to identify a name server that does not have DNSSEC implemented?
I tried dig +dnssec dig [domain name] +dnssec +short. Is RRSIG the only attribute to confirm if a name server has DNSSEC implemented or not? How do I identify a name server that has no DNSSEC ...
1
vote
1
answer
2k
views
Is Anonymized DNSCrypt over Tor a better alternative to having Doh+ECH?
I use dnscrypt-proxy's anonymized DNScrypt with multiple relays, force it all to use TCP, route them over Tor.
Does this prevent my ISP or anyone in my country to see my DNS queries and client hellos ...
0
votes
1
answer
273
views
Someone issued fake CAA records for my domain. What is the most important thing to do to resolve it?
First, I can update this with the affected domain, if it's critical, but for obvious reasons I'd like not to be the target of more problems.
Someone registered some CAA records for my domain.
I have ...
0
votes
1
answer
1k
views
What happens if both DoH and DoT are enabled?
If I have DNS over HTTPS and DNS over TLS activated simultaneously (router has DoT activated and smartphone browser has DoH activated, so I see on https://1.1.1.1/help DoH: yes and DoT: yes), which ...
0
votes
1
answer
135
views
Suspicious ip address of our mail domain found on talosintelligence.com (spoofing attempt)
We have a fair amount of email traffic. Recently, we had some suspicious email spoofing attacks and a lot of users reported that outgoing emails were marked as spam and landed in junk folder (reported ...
1
vote
1
answer
10k
views
Any Cloudflare's DNS over TLS (DoT) check + DNSSEC test?
In my original question from 2020, I was unsuccessful in my effort to setup Cloudflare's (link to docs) DNS over TLS (DoT) (link to wiki) in my old, and now decomissioned, router:
Does Cloudflare'...
-1
votes
1
answer
2k
views
DNSSEC is not configured for X website
I'm pretty new to this world of security and I'm doing some challenges trying to solve puzles of security, the thing is I have a website that is not loading it throws a timeout if I do ping, but ...