Snake Oil Threat Intel

Firstly, what is DNSSEC?

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Ok read all that good. What we are talking about here is signing a DNS zone to “assure” that the client is getting DNS responses from the right ZONE data. DNSSEC does not encrypt the conversation between DNS client and DNS server. It does enable the client to be able to check if the data it gets back is valid. In short what we are doing is validating that the “data” being returned is authorized and not tampered with.

So what attacks are we trying to protect against?

  • This will protect against DNS Cache Poisoning attacks.

Fantastic subject but realistically how many threat scenarios involve tampered or spoofed DNS ZONES? I’d suggest I’ve never seen a kill chain in a real-world incident where these are featured.

A hijacked DNS user account and changing of DNS data, sure. But this wouldn’t be solved with DNSSEC as the attacker would have control over the zone.

Scammy Sales Techniques

You might find people on LinkedIn talking about how your domain is missing DNSEC and therefore is “totally compromised”. It might sound funny (because partly it is!) but it’s also not funny, using a quick web based tool you can “scan”

But let’s see:

Microsoft DNS SEC Test Result
ncsc.goc.uk DNSSEC result
PwnDefend DNSSEC check

As you can see. I don’t have it deployed, Microsoft don’t have it deployed, NCSC don’t have it deployed (at the time of writing) – that’s because well… it’s so low down on the list of things we need to do to secure our organizations (at least that’s my opinion!)

You can give it a whirl here: https://dnssec-analyzer.verisignlabs.com/pwndefend.com

Cyber Security is linked to RISK MANAGEMENT, it’s not about having perfect scores on scanners, it’s not about using every feature/control to mitigate 100% of risk. 100% risk mitigation simply doesn’t exist, is not valuable and is either impossible to achieve or insanely expensive. There is a COST/BENEFIT position we need to consider.

Summary

DNSSEC might be useful to prevent against some threats but it’s very low down on my priority list when it comes to protecting organizations against cyber threats. It’s not even on my list. Watch out for scammy sales actors trying to claim you are insecure because of it… they exist, they are out there, they are a threat to your time/sanity!