DNS Highjacking

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px 'Helvetica Neue'}

?Want to bankrupt or bring down major ecommerce company for couple of weeks? You can do this with DNS (Domain Name System) but don't try this at home, he he he. Consider this scenario, you highjack DNS system for example lets say a bank, either by direct access or via registrar where the domain is registered if they don't employ 2FA (two factor authentication or RSA tokens for DNS servers. So if someone highjacks your DNS servers, they can setup a Linux/Powershell script to delete all DNS records except NS (Name Server and SOA (Start of Authority) and setup a WildCard Star records to replace all deleted DNS records, this way they don't have to lookup in the source code which records needs to be changed for example if this is a bank, they don't have to lookup database servers, Online Banking system or ATM machine records, because it will take some time given they have access to source codes of those DNS records, they can simply replace them with WildCard Star record and set really high TTL (Time to Live) to let's say 4 weeks or maximum possible and viola, they can point this record to their own servers, or point to invalid non routable IP address like 0.0.0.0 and they can quickly run queries against all major resolvers around the world to pickup the DNS changes/propagation, so if someone does this in less than 5 minutes on your DNS servers, you are in big trouble, in such a short time you as DNS engineer, you will not really quickly notices that this occurred because it will be done so fast unless you monitor your DNS entries and if they match to what it supposed to be. But in 5 minutes, then DNS propagation would occur all over the globe. To recover from this you would have to announce on a Twitter or TV news network for DNS engineers that manage major caching/resolvers DNS server to clear the DNS cache for your DNS entries. It would be a global effort to help you recover from this DNS highjack similarly like Crowdstrike that occurred couple of months ago. So if you are a bank you should consider for a disaster recovery scenario to have a stand by URL for you Online Banking system in different DNS domain so you can at least provide some business continuity for your bank but it is involved because you would need to change all the source code for your databases and SSL certificates to point to different Online Banking URL. Forget about Online Banking mobile application, that would also be down if this type of DNS attack. The other way for hacker to do this for your online presence, would be to login to where the your domain is registered and update Authoritative DNS server to his/her own and do the DNS highjack this way. DNS is a beast and must be carefully monitored and properly secured and wanted to share this with you because I believe it is import for this to be shared with DNS engineers around the world because Wildcard Star ?* DNS records is a major DNS security risk affecting all DNS software applications. Have a great day and Happy DNSing, and if you find this insightfull please endorse me for DNS. Thank you! #dns #dnssecurity #ddi