In February 2019, Brian Krebs Deep DNS Dive updated the world about a new type of “DNS-based Man-in-the-Middle” attack. A Deep Dive on the Recent Widespread DNS Hijacking Attacks summarizes two reports. The first from Cisco Talos’s DNSpionage Campaign Targets the Middle East. The second is from Mandient Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. The attacks were sobering. This prompted an ask to the community to check the security of their DNS Authoritative services, their DNS Registrars, and their DNS Registries. The problem: the ICANN DNS Security recommendations were confusing to the experts, let alone the normal DNS administrator.
Akamai then pulls together all their DNS experts to simplify a checklist that anyone can use. You can find this in Akamai’s Blog ‘PROTECTING YOUR DOMAIN NAMES: TAKING THE FIRST STEPS‘ for understandable actions to protect your domain. In summary, the “checklist” includes:
You could be at risk!
These defensive DNS administrative tasks apply to large, medium, and small DNS zones. For example, on my zones, I have a registry lock, 2FA, and set up “admin emails” that are not part of the zone. Read through ‘PROTECTING YOUR DOMAIN NAMES: TAKING THE FIRST STEPS‘ and ask questions to firstname.lastname@example.org. People will help.
Additional Reference Articles from 2019
- Cisco Talos: DNS Hijacking Abuses Trust In Core Internet Service (2019-04-17)
- Wired: Cyberspies Hijacked the Internet Domains of Entire Countries – A mysterious new group called Sea Turtle targeted 40 organizations in a DNS hijacking spree. (2019-04-17)
- Cisco Talos: Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques (2019-07-09)
- Cisco Duo: (Video) DNSpionage & Sea Turtle: A New Breed of DNS Attack
- A Conference for Defense – ACoD: Briefing on Dec 18 – Jan 19 DNS/IMAP Prepositioning Attacks – Bill Woodcock – Briefing on what really happened with one of the DNS Hijack Attacks.
- A Conference for Defense – ACoD: Ops Track 01/31/19 – State of the Art of DNS Security – Bill Woodcock – additional briefing from Bill on what really happened.
Are you looking for more practical, public-service Security Advice?
- Subscribe to the Senki Community Mailing List. You can sign up for the mailing list for updates here: Stay Connected with Senki’s Updates.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – email@example.com
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.