DNSSEC Testing Guide for Penetration Testers
Table of Contents
What is DNSSEC?
DNS Security Extensions (DNSSEC) is a suite of security extensions to DNS that provides authentication and integrity verification for DNS responses. It was designed to protect against DNS-based attacks such as cache poisoning and man-in-the-middle attacks.
The Problem DNSSEC Solves
Traditional DNS has no built-in security mechanisms:
No Authentication: You can't verify who sent a DNS response
No Integrity: You can't detect if a response was tampered with
Cache Poisoning: Attackers can inject false DNS records
Man-in-the-Middle: Malicious actors can intercept and modify DNS traffic
What DNSSEC Provides
Data Authentication: Verifies the DNS response came from the authoritative source
Data Integrity: Ensures DNS data hasn't been modified in transit
Authenticated Denial of Existence: Proves that a domain or record doesn't exist
⚠️ Important: DNSSEC does NOT provide confidentiality (encryption). DNS queries and responses are still sent in plaintext.
Why DNSSEC Matters in Pentesting
As a penetration tester, understanding DNSSEC is crucial because:
Security Benefits
Prevents DNS spoofing attacks
Mitigates cache poisoning vulnerabilities
Provides authenticated responses
Pentesting Implications
Missing DNSSEC = Potential attack vector
Misconfigured DNSSEC = Service disruption risk
Broken DNSSEC = Worse than no DNSSEC (causes resolution failures)
Common Findings
Organizations often overlook DNSSEC implementation
Misconfigured DNSSEC can cause legitimate traffic failures
DNSSEC rollover procedures are frequently poorly managed
How DNSSEC Works
DNSSEC uses public key cryptography to sign DNS records and create a chain of trust.
Key Concepts
1. Digital Signatures (RRSIG)
Each DNS record set is digitally signed
Signatures are stored in RRSIG records
Validators can verify signatures using public keys
2. Public Keys (DNSKEY)
Public keys are stored in DNSKEY records
Used to verify RRSIG signatures
Two types: Zone Signing Key (ZSK) and Key Signing Key (KSK)
3. Chain of Trust (DS Records)
Parent zones store DS (Delegation Signer) records
DS records contain hashes of child zone's DNSKEY records
Creates a hierarchical trust chain from root DNS
4. Authenticated Denial (NSEC/NSEC3)
Proves non-existence of records
NSEC: Lists next existing record
NSEC3: Hashed version (prevents zone walking)
Trust Chain Example
Root Zone (.)
↓ (signs .com DS record)
.com Zone
↓ (signs example.com DS record)
example.com Zone
↓ (signs individual records)
www.example.com A record
DNSSEC Record Types
| Record Type | Purpose | Contains |
| RRSIG | Digital signature | Cryptographic signature of record set |
| DNSKEY | Public key | Public key for signature verification |
| DS | Delegation Signer | Hash of child zone's DNSKEY |
| NSEC | Next Secure | Proves non-existence, lists next record |
| NSEC3 | Next Secure v3 | Hashed version of NSEC |
| NSEC3PARAM | NSEC3 Parameters | Parameters for NSEC3 processing |
Testing for DNSSEC
Quick DNSSEC Status Check
The fastest way to check if a domain has DNSSEC:
dig +dnssec +noall +answer example.com A
If DNSSEC is enabled, you'll see RRSIG records:
example.com. 300 IN A 93.184.216.34
example.com. 300 IN RRSIG A 8 2 300 20231201000000 20231124000000 12345 example.com. [signature_data]
If DNSSEC is NOT enabled, you'll only see the A record:
example.com. 300 IN A 93.184.216.34
Comprehensive DNSSEC Testing
1. Check for DNSSEC Records
# Check for DNSKEY records (public keys)
dig +dnssec example.com DNSKEY
# Check for DS records in parent zone
dig +dnssec example.com DS
# Check for NSEC/NSEC3 records
dig +dnssec nonexistent.example.com A
2. Validate DNSSEC Chain
# Use delv for validation (recommended)
delv example.com A
# Verbose validation trace
delv +vtrace example.com A
# Check specific record types
delv example.com MX
delv example.com TXT
3. Test DNSSEC Validation
# Test with drill (alternative to delv)
drill -D example.com A
# Use dig with trace for full resolution path
dig +dnssec +trace example.com A
Common DNSSEC Misconfigurations
1. Broken Trust Chain
Symptoms:
delv example.com A
# Output: ;; broken trust chain resolving 'example.com/A/IN'
Causes:
Missing or incorrect DS record in parent zone
Expired signatures (RRSIG records)
Key rollover issues
Clock synchronization problems
Testing:
# Check DS record in parent zone
dig +dnssec example.com DS @8.8.8.8
# Check DNSKEY in zone
dig +dnssec example.com DNSKEY
# Verify signature timestamps
dig +dnssec +multi example.com SOA | grep RRSIG
2. Expired Signatures
Detection:
# Check signature expiration dates
dig +dnssec +multi example.com A | grep -A 5 RRSIG
Look for dates in the past in the RRSIG record.
3. Missing NSEC/NSEC3 Records
Testing:
# Query non-existent record
dig +dnssec nonexistent.example.com A
# Should return NSEC or NSEC3 records proving non-existence
4. Incorrect Algorithm Usage
Detection:
# Check algorithm numbers in DNSKEY
dig +dnssec example.com DNSKEY
# Common algorithms:
# 7 = RSASHA1-NSEC3-SHA1
# 8 = RSASHA256
# 13 = ECDSAP256SHA256
# 15 = ED25519
Attack Scenarios
1. DNS Cache Poisoning (Without DNSSEC)
Scenario: Attacker injects false DNS records into resolver cache
Test:
# Check if domain is vulnerable (no DNSSEC)
dig +dnssec +noall +answer target.com A | grep -q RRSIG
if [ $? -ne 0 ]; then
echo "VULNERABLE: No DNSSEC - Cache poisoning possible"
fi
2. Man-in-the-Middle DNS Attacks
Scenario: Attacker intercepts and modifies DNS responses
Impact: Without DNSSEC, clients cannot detect modified responses
3. DNS Spoofing
Scenario: Attacker provides false DNS responses
Mitigation: DNSSEC validation would detect invalid signatures
4. Zone Enumeration (NSEC Walking)
Scenario: Attacker uses NSEC records to enumerate all records in a zone
Test:
# Check if zone uses NSEC (vulnerable to walking)
dig +dnssec nonexistent.example.com A | grep NSEC
# NSEC3 is more secure (hashed record names)
dig +dnssec nonexistent.example.com A | grep NSEC3
Reporting Guidelines
Finding Classification
High Risk: Missing DNSSEC
Title: "DNS Security Extensions (DNSSEC) Not Implemented"
Risk: High (for critical domains) / Medium (for general domains)
Evidence: Screenshot of dig command showing no RRSIG records
Medium Risk: Broken DNSSEC
Title: "DNSSEC Implementation Misconfigured"
Risk: Medium/High (can cause service disruption)
Evidence: delv output showing validation failures
Low Risk: Suboptimal DNSSEC
Title: "DNSSEC Uses Deprecated Algorithms"
Risk: Low/Medium
Evidence: DNSKEY records showing old algorithm numbers
Evidence Collection
Command for Clean Evidence
dig +dnssec +noall +answer example.com A
Professional Report Format
Finding: Missing DNSSEC Implementation
Domain: example.com
Evidence: DNS queries return unsigned responses
Command Used: dig +dnssec +noall +answer example.com A
Result: No RRSIG records present
Impact:
- DNS responses cannot be authenticated
- Vulnerable to cache poisoning attacks
- Susceptible to DNS spoofing
Recommendation:
- Implement DNSSEC with proper key management
- Ensure regular key rotation procedures
- Monitor DNSSEC validation status
Automation Script
#!/bin/bash
# DNSSEC Check Script for Multiple Domains
domains_file="$1"
output_file="dnssec_results.txt"
echo "DNSSEC Testing Results - $(date)" > "$output_file"
echo "=======================================" >> "$output_file"
while IFS= read -r domain; do
echo "Testing: $domain"
result=$(dig +dnssec +noall +answer "$domain" A | grep RRSIG)
if [ -z "$result" ]; then
echo "$domain: NO DNSSEC" >> "$output_file"
else
echo "$domain: DNSSEC ENABLED" >> "$output_file"
fi
done < "$domains_file"
echo "Results saved to $output_file"
Tools and Commands Reference
Essential Tools
dig (Domain Information Groper)
Purpose: DNS lookup and testing
Best for: Quick DNSSEC status checks
Installation: Usually pre-installed on Linux/macOS
# Basic DNSSEC check
dig +dnssec example.com A
# Clean output for reports
dig +dnssec +noall +answer example.com A
# Multi-line format for analysis
dig +dnssec +multi example.com A
# Trace full resolution path
dig +dnssec +trace example.com A
delv (Domain Entity Lookup and Validation)
Purpose: DNSSEC validation testing
Best for: Validating DNSSEC chains
Installation: Part of BIND utilities
# Basic validation
delv example.com A
# Verbose trace
delv +vtrace example.com A
# Short answer only
delv +short example.com A
# Specific record type
delv example.com MX
drill
Purpose: DNS lookup with DNSSEC support
Best for: Alternative to dig/delv
Installation:
apt-get install ldnsutils
# DNSSEC validation
drill -D example.com A
# Trace resolution
drill -T example.com A
# Specific server
drill @8.8.8.8 example.com A
Online Testing Tools
DNSViz: https://dnsviz.net/ (Visual DNSSEC analysis)
Verisign DNSSEC Analyzer: Online validation tool
DNS Checker: Multiple location DNSSEC testing
Command Quick Reference
| Task | Command |
| Check DNSSEC status | dig +dnssec +noall +answer domain.com A |
| Validate DNSSEC | delv domain.com A |
| Check DNSKEY records | dig +dnssec domain.com DNSKEY |
| Check DS records | dig +dnssec domain.com DS |
| Test non-existence | dig +dnssec nonexistent.domain.com A |
| Full validation trace | delv +vtrace domain.com A |
| Clean report output | dig +dnssec +noall +answer domain.com A |
Troubleshooting Common Issues
Issue: "broken trust chain"
Solution: Check DS record in parent zone and DNSKEY in target zone
Issue: "timed out"
Solution: Try different DNS server or check network connectivity
Issue: No RRSIG but DNSKEY exists
Solution: Zone is signed but signatures may be expired or broken
Additional Resources
RFC 4033-4035: DNSSEC specification
NIST Guidelines: DNSSEC deployment guide
ISC BIND: DNSSEC configuration documentation
DNSViz: Visual DNSSEC analysis tool
This guide provides foundational knowledge for penetration testers to understand and test DNSSEC implementations effectively. Always ensure you have proper authorization before testing target domains.
