DNSSEC security question

  • 91 Views
  • Last Post 22 August 2016
webster posted this 17 August 2016

Forgive my ignorance but I just learned how to spell DNSSEC so I am dangerous. My question is simple and has a boatload of assumptions and security holes.   I have my AD domain, contoso.com. I implement DNSSEC. Someone connects a DNS server to my network (I know, I am toast already), creates a contoso.com zone and enables DNSSEC. That someone is able to get my clients to send DNS queries to his bad DNS server (I know, toast is now burned on both sides). Since the good and bad contoso.com zones have DNSSEC, how does the client know the response from the bad DNS server is not a valid DNSSEC response from my good DNS server?   Thanks     Webster  

Order By: Standard | Newest | Votes
a-ko posted this 17 August 2016

The Windows DNS client does not validate DNSSEC queries. However, the Windows DNS Servers do. Client -> DNS Server traffic is not protected unless you do IPSec. Windows Clients do understand responses from DNS servers that validate, it just doesn’t do validation itself. -Mike 

show

kennedyjim posted this 17 August 2016

To rephrase it as I understand it:

 

DNSSEC protects your DNS servers from being poisoned, not the clients.

 

 

show

pawan posted this 22 August 2016

Yes, dnssec protect the transition between dns servers zone and protect to being manipulate from any middle attacks.

Rgds,

Pwn

On Aug 18, 2016 1:11 AM, "Kennedy, Jim" <kennedyjim@xxxxxxxxxxxxxxxx> wrote:
















To rephrase it as I understand it:

 

DNSSEC protects your DNS servers from being poisoned, not the clients.

 

 

show

Close