7

Is there any way to set a DNSSec-always policy similar to how HSTS commands Web Browsers to always use HTTPS?

This would mitigate a DNSSec-strip attack (similar to SSLStrip)

I'm also unclear if this would apply to IPSec, where security is mandatory, however not sure if this requires DNSSec as a pre-requisite

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • dns2proxy breaks HSTS and yes, one could also downgrade or block DNSSec. It is up to the user to write their own network stack that only supports DNSSec – atdre Apr 01 '15 at 17:55

2 Answers2

2

No, there is not a direct HSTS equivalent for DNSSEC. Most clients unfortunately don't support DNSSEC, and therefore couldn't care less about your server's RRSIG record. However, clients that do support DNSSEC will always validate your server's records (Assuming you have a valid DS record for your domain setup with your registrar). So, there is no need for a HSTS equivalent for DNSSEC, as DNSSEC clients won't ever not validate domains.

ConnorJC
  • 326
  • 2
  • 6
0

The following solution might not scale well, but:

  1. Set up BIND or similar DNS resolver server on the host you want to protect
  2. Configure it to validate DNSSEC (can take maximum 10 minutes)
  3. Configure a software firewall so that only your DNS server can query the upstream DNS servers
  4. Optionally use a browser addon which can display the DNSSEC status

You can change the following architecture to an enterprise solution, where you setup the DNS server on your network, and on the edge firewall you block DNS requests from IP addresses which is not your DNS server. And assume your network can be trusted.

user2716262
  • 611
  • 3
  • 12