Understanding DNSSEC: How Does a Client Know if a DNS Zone is Protected?

Recently, I’ve been reading about DNSSEC and how it works. I found other questions and some very interesting answers on this and other websites related to this matter.

However, I have a question to which I couldn’t find an answer anywhere: how can a client know that a DNS zone is supposed to be signed? If machineA never resolved the name example.com, how can DNSSEC prevent an attacker from intercepting the DNS query leaving machineA and replying to that query with a well-formed DNS reply holding a malicious IP address, but which seems to to come from the resolver?

In other words, I can’t understand how DNSSEC prevents Man In The Middle Attacks. If the host never resolved the name before, how can it know that the reply is supposed to be signed?

I understand how DNSSEC can protect against cache poisoning, and how the integrity of the messages is assured, but it all seems to fall apart if someone simply sits between the user’s machine and the resolver to strip out dnssec information.

Answer

DNSSec does not prevent against MITM attacks. This is also mentioned in the following answer and a bit more explanation of how DNSSec works and some of its limitations.

In this paper author discusses ways to circumvent DNSSec in Section VI, including ‘intruder-in-the-middle’ attack.

Leave a Reply

Your email address will not be published. Required fields are marked *