Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


GREP DNS records for early detection of domain name hijacking
New on LowEndTalk? Please Register and read our Community Rules.

GREP DNS records for early detection of domain name hijacking

Is there a way to do this in real time? Some crypto projects are having their DNS servers hijacked and re-routing users to compromised front ends/UIs.

Why can't they just write a script to grep the dns for changes and spit out an alert/telegram message/whatever when something changes?

What am I missing?

Comments

  • You're missing that competent people don't work on crypto projects

  • Daniel15Daniel15 Member
    edited August 10

    @sidewinder said: Why can't they just write a script to grep the dns for changes

    If an attacker can get into their DNS servers and change the records, they could probably also disable whatever monitoring scripts are being used?

    Ideally they should have audit logs and/or source control for DNS zones, which should make it easy to tell if there's any unauthorized access. A good IPS/IDS should catch things like this too.

    The thing is that security doesn't really seem to be a big thing with some crypto projects, so they're probably not following best practices for securing servers...

    @sidewinder said: pit out an alert/telegram message/whatever when something changes?

    Might be noisy if they have ALIAS/ANAME records, CNAME records, or change the IPs in an automated way (e.g. failover)

  • jmgcaguiclajmgcaguicla Member
    edited August 10

    @sidewinder said:
    Some crypto projects are having their DNS servers hijacked

    How about they git gud at securing their authoritative nameservers instead of coming up with reactive bandaid solutions?

    Thanked by 1yoursunny
  • sidewindersidewinder Member
    edited August 10

    So it's their accounts at DNS providers like Godaddy, Namecheap, etc, getting hacked/whatever and just changing the ip addresses to the nefarious server.

    couldn't the script just do a reverse ip look up every 5 minutes?

    I am an idiot so surely there is something I am not understanding about detecting any change in dns records...

    Tweet
    See new Tweets
    Conversation
    Curve Finance
    @CurveFinance
    Don't use http://curve.fi site - nameserver is compromised. Investigation is ongoing: likely the NS itself has a problem

    this basically the biggest project in defi. LOL

    Steven Ferguson
    @szferguson
    Upon initial investigation, this did not appear to be a hijack at the registrar level, but rather systems at @iwantmyname
    compromised themselves.

    I mean who TF knows what happened. No one wants to take responsibility obviously so, GREP the DNS records?

    WTF

  • @jmgcaguicla said:

    @sidewinder said:
    Some crypto projects are having their DNS servers hijacked

    How about they git gud at securing their authoritative nameservers instead of coming up with reactive bandaid solutions?

    Well it appears some or all of the attacks have been social engineering or just vulnerabilities in the providers. It's hard to know the truth but that's what the projects are claiming.

  • @MallocVoidstar said:
    You're missing that competent people don't work on crypto projects

    This, 100%.

  • If you're dealing with finances I probably wouldn't use a registrar with "cheap" in the name>
    @sidewinder said:

    @jmgcaguicla said:

    @sidewinder said:
    Some crypto projects are having their DNS servers hijacked

    How about they git gud at securing their authoritative nameservers instead of coming up with reactive bandaid solutions?

    Well it appears some or all of the attacks have been social engineering or just vulnerabilities in the providers. It's hard to know the truth but that's what the projects are claiming.

    Thanked by 1yoursunny
  • Daniel15Daniel15 Member
    edited August 10

    @sidewinder said: so, GREP the DNS records?

    Proactive >>>>> reactive. It's far better to completely prevent being hacked rather than just detecting it afterwards.

    lol at a financial site using the free DNS that comes with the domain. I just checked it now and it looks like they've switched to... DigitalOcean's DNS service now. No DNSSEC either.

    If the registrar's DNS is untrustworthy, then move to another one. Given they're probably making lots of money, they should use a good enterprise-ish DNS provider like DNSMadeEasy.

  • Our DNS check can do that. https://nodeping.com/dns_check.html

  • Hey! Where is @biloh 's cut? You must pay $200.

  • @NodePing said:
    Our DNS check can do that. https://nodeping.com/dns_check.html

    this is cool - how fast will it detect a change?

    I don't care who you are - registrar breach is a threat to any project it only happens more in crypto bc 1) big bounty if u do it and 2) no way or close to impossible
    to get caught

  • @sidewinder said: how fast will it detect a change?

    In as little as 15 seconds with a 15-second interval and a maximum of 5 minutes with a 1-minute interval check.

    Our DNS checks query root servers (when a DNS server is not specified) and ignore TTLs so they fail quickly.

    Give it a shot. We have a free trial.

  • there should be a discord or telegram group with a bot that just spits out any changes to the DNS of the front ends of these defi DAPPS.

    Amazing this doesn't exist.

  • SplitIceSplitIce Member, Host Rep

    I think I need more coffee. I read the title and was like.... whats this new "GREP" record type and how does it work?

    BTW grep the posix utility is lowercase. DNS Record types are typically written upper case.

Sign In or Register to comment.