New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GREP DNS records for early detection of domain name hijacking
sidewinder
Member
in General
Is there a way to do this in real time? Some crypto projects are having their DNS servers hijacked and re-routing users to compromised front ends/UIs.
Why can't they just write a script to grep the dns for changes and spit out an alert/telegram message/whatever when something changes?
What am I missing?
Comments
You're missing that competent people don't work on crypto projects
If an attacker can get into their DNS servers and change the records, they could probably also disable whatever monitoring scripts are being used?
Ideally they should have audit logs and/or source control for DNS zones, which should make it easy to tell if there's any unauthorized access. A good IPS/IDS should catch things like this too.
The thing is that security doesn't really seem to be a big thing with some crypto projects, so they're probably not following best practices for securing servers...
Might be noisy if they have ALIAS/ANAME records, CNAME records, or change the IPs in an automated way (e.g. failover)
How about they git gud at securing their authoritative nameservers instead of coming up with reactive bandaid solutions?
So it's their accounts at DNS providers like Godaddy, Namecheap, etc, getting hacked/whatever and just changing the ip addresses to the nefarious server.
couldn't the script just do a reverse ip look up every 5 minutes?
I am an idiot so surely there is something I am not understanding about detecting any change in dns records...
this basically the biggest project in defi. LOL
I mean who TF knows what happened. No one wants to take responsibility obviously so, GREP the DNS records?
WTF
Well it appears some or all of the attacks have been social engineering or just vulnerabilities in the providers. It's hard to know the truth but that's what the projects are claiming.
This, 100%.
If you're dealing with finances I probably wouldn't use a registrar with "cheap" in the name>
@sidewinder said:
Proactive >>>>> reactive. It's far better to completely prevent being hacked rather than just detecting it afterwards.
lol at a financial site using the free DNS that comes with the domain. I just checked it now and it looks like they've switched to... DigitalOcean's DNS service now. No DNSSEC either.
If the registrar's DNS is untrustworthy, then move to another one. Given they're probably making lots of money, they should use a good enterprise-ish DNS provider like DNSMadeEasy.
Our DNS check can do that. https://nodeping.com/dns_check.html
Hey! Where is @biloh 's cut? You must pay $200.
this is cool - how fast will it detect a change?
I don't care who you are - registrar breach is a threat to any project it only happens more in crypto bc 1) big bounty if u do it and 2) no way or close to impossible
to get caught
In as little as 15 seconds with a 15-second interval and a maximum of 5 minutes with a 1-minute interval check.
Our DNS checks query root servers (when a DNS server is not specified) and ignore TTLs so they fail quickly.
Give it a shot. We have a free trial.
there should be a discord or telegram group with a bot that just spits out any changes to the DNS of the front ends of these defi DAPPS.
Amazing this doesn't exist.
I think I need more coffee. I read the title and was like.... whats this new "GREP" record type and how does it work?
BTW grep the posix utility is lowercase. DNS Record types are typically written upper case.