Collaborate Disseminate
I just watched a video on DNS that explained that if there is a man-in-the-middle or if someone has taken over your resolver, DNSSEC can prevent the responses from being tampered with because the client can verify that the owner of the zon… Continue reading Does DNSSEC prevent man-in-the-middle at all? [duplicate]
Say a citizen-run journalist site is a target of a hostile government. The site is hosted over HTTPS in a different country, outside the government’s reach. However, the site domain name is within the country’s top level domain.
I think … Continue reading Most likely route to hostile domain take-over?
I am trying to understand NSEC3 record when querying for existing domain name, for NXDOMAIN I understand how it works. RFC has example about WildCard, NODATA & NXDOMAIN
So I fired these queries using dig for google and netflix
and not… Continue reading Understanding DNSSEC NSEC3 output for valid domain name
I manage a few dozen servers that are publicly accessible and must remain so. I see very large volumes of malicious traffic on all of these servers. The malicious traffic starts as port scans (identified by scanlogd) and progresses to a co… Continue reading Is there a way to use DNS to block access to my domain?
I’m learning about DNSSEC today but I don’t quite understand about how a parent zone would store all of its child’s Key Signing Keys (DNSKEY 257) in its DS record set.
As far as I understand, if I have a subdomain, say, subdomain.icann.org… Continue reading Since the DS recordset contains all of the child’s Key Signing Key, wouldn’t the DS recordset be massive and difficult to load for verification?
Consider the following dig command and its truncated output:
dig . dnskey +dnssec +multi @a.root-servers.net
…
…
;; ANSWER SECTION:
. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh… Continue reading How can I validate the root DNS key-signing-key on the command line?
When a Windows computer wants to resolve a domain name, it offloads the request to a DNS resolver and tells the resolver that it wants to resolve with DNSSEC (by setting the ‘DO’ bit in the query). The DNS resolver will use DNSSEC and will… Continue reading DNSSEC Client Validation – The Last Mile in DNSSEC
I am reading up on secure DNS (DoH, DoT) and trying to identify its differences. Currently, I am on https://www.cloudflare.com/learning/dns/dns-over-tls/ page.
Is there for example some non-negligible performance hit between those two?
I… Continue reading Secure DNS (DoH, DoT) differences, performance, comparison
I set up OpenWRT on my Belkin RT3200 and I want to have quad9 encrypted DNS with dnssec and Secure SNI, but I could not figure out how to set up DNScrypt correctly on my router and I’m not sure if that’s the best method.
I’d like to avoid … Continue reading How to set up DNS encryption on my home router? [migrated]
I’m trying to implement a toy project DNSSEC supported DNS resolver to learn about both DNS and DNSSEC.
Most of my implementation are finished. But for some domains it’s not working correctly, and I noticed some differences when comparing … Continue reading How to properly handle DNSKEY delegation across DNS zones?