Results 1 to 5 of 5
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default DNSSEC w/ OpenDNS

    FYI

    Cisco Umbrella (OpenDNS) now supports DNSSEC on their production servers 208.67.220.220 & 208.67.220.222

    dnsmasq supports DNSSEC in NGFW v15.0

    This can be enabled by configuring #config/network/advanced/dns_and_dhcp
    Code:
    # Using DNSSEC at OpenDNS servers
    conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
    dnssec
    wbennett77, donhwyo and Bollar like this.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Correction to the servers above: 208.67.220.220 & 208.67.222.222

    Here is a receipt that it is doing something (I have not inspected packets, or anything)
    dnssec.png
    wbennett77 likes this.

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    What is DNSSEC about?

    CVE-2008-1447 and more.

    John Wagnon gives an overview on DNSSEC and how F5's DNS services can help secure your domains in this episode of Lightboard Lessons. (9 minutes)
    https://www.youtube.com/watch?v=MrtsKTC3KDM

  4. #4
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default Prevent data exfiltration performed via DNS

    This can be sniffed on the transport, without encryption.

    But even more importantly, DNSSEC can prevent data exfiltration performed via DNS. It is common for attackers to leverage DNS to bypass security controls, and transfer sensitive data outside the organization via the DNS server. One way to do this is take data stored on an internal server, and make DNS requests to an external server, which carry Base64-encoded versions of that data.
    https://www.imperva.com/learn/application-security/dnssec/
    Last edited by Jim.Alles; 05-20-2020 at 10:41 AM.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by Jim.Alles View Post
    This can be sniffed on the transport, without encryption.
    I am not sure that quotation is correct. DNSSEC is not encyption of DNS traffic. It is complementary with DNSCrypt.

    https://www.opendns.com/about/innovations/dnscrypt/
    If you think I got Grumpy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2