How to protect and detect DNS manipulations from browser side?

I'm afraid we won't have a proper solution until we get everyone to use DNSSEC.

However, I predict that unless someone discovers a really critical flaw in DNS protocol forcing everyone to implement it, it will take many many years ☹ (just look at IPv6).

As a partial solution, you could have the DNS resolver set to a trusted DNS resolver which also signs all unsigned responses with its own key. That won't detect that the dns server provided on the DHCP response is malicious/poisoned, but -adding the appropiate code on the stub resolver- if all DNS queries where answered by the evil DNS server, you could notice that.


I think the only wayx to detect the attack would be to run a custom script in the backgorund of your session, which would send all your DNS requests to a trusted secured DNS-Server (using signing or HTTPS) and also to your local DNS. Then it could compare the results and give you an alertbox if the results don't match e.g. if the provided IP-Adresses are not registered under the same domain...

Tags:

Dns