testing

Raiders0786 · Raiders0786 · commit 5c54aa246d8c · 2025-10-13T13:50:18.000+05:30
diff --git a/docs/pages/infrastructure/dns-and-domain-registration.mdx b/docs/pages/infrastructure/dns-and-domain-registration.mdx
@@ -0,0 +1,270 @@
+---
+title: "DNS and Domain Registration Security"
+tags:
+  - Engineer/Developer
+  - Security Specialist
+  - Operations & Strategy
+contributors:
+  - role: wrote
+    users: [Raiders0786]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# DNS and Domain Registration Security
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+DNS (Domain Name System) is the backbone of the internet, translating domain names into IP addresses. In Web3, domain security is particularly critical as compromised domains can lead to irreversible financial losses through wallet drainers and phishing attacks. Unlike traditional web applications where stolen funds can sometimes be recovered, blockchain transactions are permanent, making domain security a matter of financial survival for Web3 projects.
+
+## Understanding the Attack Surface
+
+### How DNS Resolution Works
+When users type your domain, their request traverses multiple trust points:
+1. Local device cache
+2. ISP DNS resolver  
+3. Root nameservers
+4. TLD registry servers
+5. Your authoritative nameservers
+
+Each step represents a potential attack vector where responses can be intercepted, modified, or poisoned. This multi-step process creates numerous opportunities for attackers to redirect users to malicious sites while their browser still shows the correct domain name.
+
+### Common Attack Vectors
+- **Social Engineering at Registrars**: Attackers convince support staff they're legitimate owners using publicly available information
+- **Expired Domain Sniping**: Domains that expire enter a grace period before becoming publicly available to anyone
+- **DNS Hijacking**: Unauthorized changes to DNS records redirecting traffic to malicious servers
+- **Email Interception**: Compromised MX records allowing password reset attacks and communication interception
+- **DNS Tunneling**: Encoding data within DNS queries for covert communication channels, often used for data exfiltration
+
+## DNS-Level Security
+
+### DNSSEC Implementation
+DNSSEC provides cryptographic authentication of DNS responses.
+
+1. **Enable DNSSEC signing** at your DNS provider
+2. **Publish DS records** to your registrar
+3. **Monitor DNSSEC validation** status regularly
+4. **Test configuration** using tools like DNSViz or Verisign DNSSEC Debugger
+
+### CAA Records
+Certificate Authority Authorization records specify which CAs can issue certificates for your domain.
+
+```dns
+example.com. CAA 0 issue "letsencrypt.org"
+example.com. CAA 0 issue "digicert.com"
+example.com. CAA 0 iodef "mailto:security@example.com"
+```
+
+### Email Security Configuration
+
+#### SPF (Sender Policy Framework)
+```dns
+example.com. TXT "v=spf1 include:_spf.google.com ~all"
+```
+
+#### DMARC (Domain-based Message Authentication)
+```dns
+_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:forensics@example.com"
+```
+
+#### DKIM (DomainKeys Identified Mail)
+Configure with your email provider and publish public keys in DNS.
+
+#### MTA-STS (Mail Transfer Agent Strict Transport Security)
+```dns
+_mta-sts.example.com. TXT "v=STSv1; id=20240101000000"
+```
+
+## Registrar Security
+
+### Choosing a Secure Registrar
+
+#### Enterprise-Grade Registrars (Recommended)
+- **MarkMonitor**: Used by Fortune 500 companies, requires legal documentation for changes
+- **CSC (Corporation Service Company)**: Registry-level domain locks, dedicated account management
+- **AWS Route53**: IAM policy integration, CloudTrail logging, uses Amazon Registrar for major TLDs
+- **Cloudflare Registrar**: No markup pricing, automatic DNSSEC, built-in DDoS protection
+
+#### Consumer Registrars to Avoid for Critical Domains
+- GoDaddy (history of social engineering vulnerabilities)
+- Consumer-focused services (Google Domains/Squarespace)
+- Resellers (additional attack surface)
+
+### Registrar-Level Protections
+
+#### 1. Registry Lock (EPP Lock)
+Registry lock prevents unauthorized transfers at the registry level, not just the registrar.
+- **What it does**: Requires manual verification with the registry for any changes
+- **How to enable**: Contact enterprise registrars for registry-operator level locks
+- **Note**: Different from standard transfer locks which only prevent transfers between registrars
+
+#### 2. Multi-Factor Authentication
+- **Hardware Security Keys** (YubiKey/FIDO2): Most secure option
+- **TOTP Applications**: Minimum acceptable standard
+- **Avoid SMS 2FA**: Vulnerable to SIM swapping
+
+#### 3. Dedicated Security Contact Email
+```
+❌ admin@yourdomain.com (circular dependency)
+❌ personal@gmail.com (too many attack vectors)
+✅ domain-security-only@protonmail.com (isolated, dedicated purpose)
+```
+
+#### 4. Access Control Best Practices
+- Document all personnel with registrar access
+- Use role-based access where available
+- Implement approval workflows for critical changes
+- Regular access audits (quarterly minimum)
+
+## Monitoring and Detection
+
+### DNS Record Monitoring
+Watch for these warning signs:
+- Nameserver (NS) record changes
+- TTL values dropping below 300 seconds
+- New A/AAAA records or changes to existing ones
+- MX record modifications
+- CAA record removal
+- DNSSEC disabled unexpectedly
+
+### Certificate Transparency Monitoring
+- Monitor CT logs for unauthorized certificate issuance
+- Set up alerts for new certificates via services like crt.sh monitoring
+- Watch for wildcard certificates if you don't use them
+
+### Passive DNS Monitoring
+Track historical DNS resolution data to detect:
+- Brief record changes (often missed in periodic checks)
+- Geographic anomalies in resolved IPs
+- Suspicious hosting provider changes
+
+## Setting Up Alerts
+
+### Critical Alerts (Immediate Response Required)
+
+1. **Registrar Changed**
+   - **What it monitors**: Changes to your domain's registrar
+   - **Why it's critical**: Indicates potential domain hijacking or unauthorized transfer
+   - **Response**: Immediate verification and potential incident response activation
+
+2. **Nameserver Changed** 
+   - **What it monitors**: Changes to nameserver records
+   - **Why it's critical**: Attackers often change nameservers to redirect traffic to malicious servers
+   - **Response**: Verify legitimacy, check if you initiated the change
+
+3. **DNSSEC Broken**
+   - **What it monitors**: DNSSEC validation failures or disabled DNSSEC
+   - **Why it's critical**: DNS responses can be tampered with, leading to man-in-the-middle attacks
+   - **Response**: Investigate signing issues, check for configuration changes
+
+4. **CAA Records Removed**
+   - **What it monitors**: Removal of Certificate Authority Authorization records
+   - **Why it's critical**: Allows any CA to issue certificates for your domain, enabling SSL certificate attacks
+   - **Response**: Restore CAA records immediately, investigate who removed them
+
+5. **TTL Drop Under 60 Seconds**
+   - **What it monitors**: Time-to-live values dropping below 60 seconds
+   - **Why it's critical**: Very low TTLs can indicate preparation for rapid DNS changes (attack preparation)
+   - **Response**: Investigate why TTL was lowered, verify it's legitimate
+
+### High Priority Alerts (Investigate Within Hours)
+
+1. **A Record Changed**
+   - **What it monitors**: Changes to IP address mappings
+   - **Why it's important**: Could redirect users to malicious servers
+   - **Response**: Verify the new IP address is legitimate and expected
+
+2. **MX Record Changed**
+   - **What it monitors**: Changes to mail server configurations
+   - **Why it's important**: Could intercept emails, including password reset messages
+   - **Response**: Verify mail server changes are authorized
+
+3. **DMARC Policy Weakened**
+   - **What it monitors**: Changes from "reject" to "quarantine" or "none"
+   - **Why it's important**: Weaker policies allow more spoofed emails to reach users
+   - **Response**: Investigate why policy was weakened, restore if unauthorized
+
+4. **Unexpected Certificate Issued**
+   - **What it monitors**: New SSL certificates issued for your domain
+   - **Why it's important**: Could indicate certificate-based attacks or unauthorized issuance
+   - **Response**: Verify the certificate was requested by your team, revoke if unauthorized
+
+## Incident Response Plan
+
+### Immediate Response
+1. **Verify the compromise** - Check DNS records via multiple resolvers
+2. **Access registrar account** - Attempt login, check for lockout
+3. **Contact registrar security team** - Use pre-documented emergency contacts
+4. **Document everything** - Screenshot all current settings
+
+### Containment
+1. **Invoke registry lock** if available
+2. **Update NS records** if you maintain access
+3. **Warn users** via social media/status page
+4. **Contact law enforcement** if significant theft occurred
+
+### Recovery
+1. **Regain control** through registrar security procedures
+2. **Audit all DNS records** against known-good baseline
+3. **Reset all credentials** for registrar and DNS hosting
+4. **Review access logs** to understand attack vector
+
+### Post-Incident
+1. **Conduct thorough investigation**
+2. **Update security measures** based on lessons learned
+3. **Consider legal action** if appropriate
+4. **Publish transparency report** to rebuild trust
+
+
+## Web3-Specific Considerations
+
+### Why Domain Security is Critical in Web3
+- **Irreversible transactions**: Stolen funds cannot be reversed
+- **Direct wallet interactions**: Users connect wallets directly to your domain
+- **Smart contract immutability**: Contracts can't help if users never reach them
+- **Reputation damage**: One incident can permanently destroy protocol trust
+
+### Additional Web3 Protections
+- Consider ENS domains as backup communication channels
+- Implement multiple warning channels (Twitter, Discord, Telegram)
+- Use IPFS or other decentralized hosting for critical security notices
+- Maintain cryptographically signed DNS record hashes on-chain
+
+## Historical Context
+
+### Notable Domain Security Incidents
+Domain hijacking has impacted numerous Web3 projects:
+- **[Curve Finance (2022)](https://rekt.news/curve-finance-rekt)**: DNS hijacking led to $575k in stolen funds through frontend compromise
+- **[Galxe (2023)](https://help.galxe.com/en/articles/8452958-october-6th-dns-security-incident-statement-guide)**: DNS hijack resulted in over 1,100 wallets drained for $270k
+- **[Compound Finance (2024)](https://www.bitget.com/news/detail/12560604092919#:~:text=The%20attack%20was%20first%20detected%20when%20users,to%20access%20Compound%20Finance%27s%20interface%20at%20compound.)**: Domain takeover attempt prevented by registry lock
+
+These incidents highlight the critical importance of proper domain security measures.
+
+## References and Resources
+
+### Tools
+- [DNSViz](https://dnsviz.net/) - DNSSEC visualization and debugging
+- [Certificate Transparency Search](https://crt.sh/) - Monitor certificate issuance
+- [DNS Dumpster](https://dnsdumpster.com/) - DNS reconnaissance tool
+- [MXToolbox](https://mxtoolbox.com/) - DNS and email configuration testing
+- [Passive DNS](https://passivedns.mnemonic.no/) - Historical DNS resolution data
+
+### Incident Response Contacts
+- [SEAL Alliance](https://www.securityalliance.org/contact) - Web3 emergency response team
+- Your registrar's security team (document contact info)
+- Local FBI/law enforcement cybercrime division
+
+### Standards and Best Practices
+- [NIST Special Publication 800-81-2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf) - Secure Domain Name System Deployment Guide
+- [ICANN DNSSEC Resources](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en)
+- [RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461) - MTA-STS specification
+- [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489) - DMARC specification
+- [DNS Security in Web3: Attacks & Monitoring Setup Explained](https://web3secnews.substack.com/p/the-hidden-dns-threats-that-could) - Comprehensive Web3 DNS security guide
+
+---
+</TagProvider>
+<ContributeFooter />
