feat: improve DNS and domain registration security to be more comprehensive and actionable

.gitignore

@@ -36,3 +36,4 @@ CLAUDE.md
 
 # Build folder
 **/dist/
+node_cache/

CONTRIBUTING.md

@@ -306,4 +306,4 @@ This page is also open for contributions! Suggest improvements to our style and
 
 ## About this page
 
-Originally inspired by the [Ethereum Protocol Fellows](https://github.com/eth-protocol-fellows/protocol-studies)
+Originally inspired by the [Ethereum Protocol Fellows](https://github.com/eth-protocol-fellows/protocol-studies)

docs/pages/config/contributors.json

@@ -190,5 +190,17 @@
     "company": "SEAL",
     "job_title": "Frameworks Contributors",
     "description": "Frameworks Contributors"
+  },
+  "Raiders0786": {
+    "slug": "Raiders0786",
+    "name": "Raiders",
+    "role": "steward",
+    "avatar": "https://avatars.githubusercontent.com/Raiders0786",
+    "github": "https://github.com/Raiders0786",
+    "twitter": "https://x.com/__Raiders",
+    "website": "https://web3sec.news",
+    "company": "Web3Sec.News & Digibastion.com",
+    "job_title": "Creator",
+    "description": "Steward of DNS and Domain Registration Security"
   }
 }

docs/pages/infrastructure/domain-and-dns-security/dns-basics-and-attacks.mdx

@@ -0,0 +1,77 @@
+---
+title: "DNS Basics & Common Attacks"
+tags:
+  - Engineer/Developer
+  - Security Specialist
+contributors:
+  - role: wrote
+    users: [Raiders0786]
+  - role: reviewed
+    users: [DicksonWu654]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter, MermaidRenderer } from '../../../../components'
+
+export const dnsFlowDiagram = `flowchart TD
+    Start([User types:<br/>example.com]) --> Cache{Check<br/>Cache?}
+
+    Cache -->|Found| Fast[Return IP instantly<br/>93.184.216.34]
+    Cache -->|Not Found| Recursive[Your ISP DNS<br/>Recursive Resolver]
+
+    Recursive -->|1. Where is .com?| Root[Root Server<br/>.]
+    Root -->|2. Ask TLD| Recursive
+
+    Recursive -->|3. Where is example.com?| TLD[TLD Server<br/>.com]
+    TLD -->|4. Ask Authoritative| Recursive
+
+    Recursive -->|5. What's the IP?| Auth[Authoritative Server<br/>example.com]
+    Auth -->|6. IP: 93.184.216.34<br/>TTL: 24h| Recursive
+
+    Recursive -->|7. Validated & Cached| Result[Return IP<br/>93.184.216.34]
+
+    Fast --> Connect([Connect to Website])
+    Result --> Connect
+
+    style Start fill:#e1f5ff
+    style Connect fill:#d4edda
+    style Root fill:#fff3cd
+    style TLD fill:#fff3cd
+    style Auth fill:#d1ecf1
+    style Recursive fill:#e7e7ff
+    style Fast fill:#a8e6cf
+    style Cache fill:#ffeaa7`;
+
+<TagProvider>
+<TagFilter />
+
+# DNS Basics & Common Attacks
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## How DNS Resolution Works
+
+When users type your domain, their request may traverse multiple trust points (flows vary by resolver caching, stub resolver config, and provider):
+1. Local device cache
+2. ISP/recursive DNS resolver
+3. Root nameservers
+4. TLD registry servers
+5. Your authoritative nameservers
+
+<MermaidRenderer 
+  id="dns-resolution-flow"
+  code={dnsFlowDiagram}
+/>
+
+## Common Attack Vectors
+
+- Social Engineering at Registrars: Attackers convince/bribe support staff they're legitimate owners using publicly available information
+- Expired Domain Sniping: Domains that expire enter a grace period before becoming publicly available to anyone
+- DNS Hijacking: Unauthorized changes to DNS records redirecting traffic to malicious servers
+- Email Interception (MX tampering): Password reset attacks and communication interception
+- DNS Tunneling: Encoding data within DNS queries for covert communication channels, often used for data exfiltration
+- DNS Cache Poisoning: Injecting forged responses into a resolver's cache to redirect subsequent queries
+
+---
+</TagProvider>
+<ContributeFooter />

docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx

@@ -0,0 +1,63 @@
+---
+title: "DNSSEC, CAA, and Email Security"
+tags:
+  - Engineer/Developer
+  - Security Specialist
+contributors:
+  - role: wrote
+    users: [Raiders0786]
+  - role: reviewed
+    users: [DicksonWu654]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# DNSSEC, CAA, and Email Security
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## DNSSEC Implementation
+
+Practical setup:
+1) Enable signing at DNS provider (provider generates KSK/ZSK; shows DS parameters: Key Tag, Algorithm, Digest Type, Digest).
+2) Publish DS at registrar — prefer Algorithm 13 (ECDSAP256SHA256), Digest Type 2 (SHA-256) where supported.
+3) Verify validation via:
+   - https://dnssec-analyzer.verisignlabs.com/yourdomain.org
+   - https://dnsviz.net/d/yourdomain.org/analyze/
+   - `dig +dnssec example.com A` and check AD flag
+4) Monitor validation and DS/DNSKEY changes.
+
+Security notes:
+- DNSSEC authenticates data; it does not encrypt queries. Use DoT/DoH for transport privacy if needed.
+- Harden registrar accounts, protect transfer locks, and monitor for DS changes; DS removal downgrades protection.
+
+## CAA Records
+
+Limit which CAs can issue certs; use `iodef` for violation reports and `issuewild` for wildcard control. Child-zone CAA overrides parent CAA. Advanced parameters like `accounturi` and `validationmethods` allow finer control.
+
+## Email Security (SPF, DKIM, DMARC, MTA-STS)
+
+DMARC baseline example (aggregate only):
+```
+_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
+```
+
+MTA-STS (summary):
+1. Host HTTPS policy at `https://mta-sts.<domain>/.well-known/mta-sts.txt`
+2. Publish TXT at `_mta-sts.<domain>` with `v=STSv1; id=<timestamp>`
+3. Start with `mode: testing`, then `enforce`; ensure MX TLS certs valid.
+
+Provider-specific tips
+- Google Workspace: manage MX in Admin console; host policy yourself; add TXT via DNS.
+- Cloudflare: host policy on Workers/Pages; manage TXT in DNS; HTTPS auto via Cloudflare SSL.
+- Amazon SES: host on S3 or CloudFront; manage TXT in Route 53; ensure domains are verified.
+
+---
+</TagProvider>
+<ContributeFooter />
+
+

docs/pages/infrastructure/domain-and-dns-security/index.mdx

@@ -0,0 +1,17 @@
+---
+title: "Domain & DNS Security"
+---
+
+export const meta = {
+  title: 'Domain & DNS Security'
+}
+
+This section is organized into:
+
+- Overview
+- DNS Basics & Common Attacks
+- DNSSEC, CAA, and Email Security
+- Registrar Security & Registry Locks
+- Monitoring, Alerts, and GitOps for DNS
+
+

docs/pages/infrastructure/domain-and-dns-security/monitoring-and-alerting.mdx

@@ -0,0 +1,55 @@
+---
+title: "Monitoring, Alerts, and GitOps for DNS"
+tags:
+  - Engineer/Developer
+  - Security Specialist
+  - Operations & Strategy
+contributors:
+  - role: wrote
+    users: [Raiders0786]
+  - role: reviewed
+    users: [DicksonWu654]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Monitoring, Alerts, and GitOps for DNS
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## What to Watch
+
+- NS changes; DNSSEC broken; CAA removed/overridden; sudden TTL drops (note: low TTL is common with CDNs; Cloudflare "Auto" often 300s)
+- When NS unchanged: A/AAAA, MX, TXT (SPF/DMARC) modifications
+
+Note: Child zones override parent CAA. Parameters like `accounturi` and `validationmethods` can provide finer control.
+
+## Monitoring Tools
+
+- MXToolbox, HetrixTools, SecurityTrails (change tracking/historical)
+- DNSViz (DNSSEC chain validation and debugging)
+- Passive DNS: Mnemonic, SecurityTrails, RiskIQ (historical resolution)
+
+## GitOps & Zone Control
+
+- OctoDNS and DNSControl enable auditable, reviewed DNS changes via code and CI.
+
+## Certificate Transparency Monitoring
+
+- crt.sh and Cert Spotter for new/unauthorized certs (watch wildcards if unused).
+
+## Alerts & Incident Response (Quick Reference)
+
+Critical alerts: Registrar changed, NS changed, DNSSEC broken, CAA removed, TTL under 60s. High priority (NS unchanged): A/MX/TXT changes, DMARC policy weakened, unexpected certificate issued.
+
+Incident response: Verify compromise; access registrar; contact security team; document; contain (registry lock, NS updates); communicate; recover (audit records, reset credentials); investigate; improve.
+
+---
+</TagProvider>
+<ContributeFooter />
+
+

docs/pages/infrastructure/domain-and-dns-security/overview.mdx

@@ -0,0 +1,70 @@
+---
+title: "Domain & DNS Security — Overview"
+tags:
+  - Engineer/Developer
+  - Security Specialist
+  - Operations & Strategy
+contributors:
+  - role: wrote
+    users: [Raiders0786]
+  - role: reviewed
+    users: [DicksonWu654]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Domain & DNS Security — Overview
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+DNS (Domain Name System) is the backbone of the internet, translating domain names into IP addresses. In Web3, domain security is particularly critical as compromised domains can lead to irreversible financial losses through wallet drainers and phishing attacks. Unlike traditional web applications where stolen funds can sometimes be recovered, blockchain transactions are permanent. 
+
+Moreover, DNS controls your email infrastructure through MX records — once compromised, attackers gain the keys to your entire organization through password resets and intercepted communications, making domain security a matter of both financial and operational survival.
+
+## Web3-Specific Considerations
+
+- **Irreversible transactions**: Unlike traditional banking where stolen funds can sometimes be recovered, blockchain transactions are permanent. Once funds are stolen through a domain hijack, they're gone forever.
+- **Direct wallet interactions**: Users connect their wallets directly to your domain, giving attackers immediate access to user funds without needing to compromise individual accounts.
+- **Reputation damage**: One domain hijack incident can permanently destroy protocol trust, as users lose confidence in the project's security practices.
+
+## Historical Context
+
+### Notable Domain Security Incidents
+
+- **[Curve Finance (2025)](https://news.curve.finance/curve-domain-incident/)**: Domain hijacking at the registrar level, unrelated to any breach of Curve’s infrastructure.
+- **[Puffer Finance (2025)](https://www.kucoin.com/news/articles/the-trojan-horse-of-web3-puffer-finance-attack-exposes-centralized-vulnerabilities)**: DNS hijack exploited centralized infrastructure vulnerabilities
+- **[Compound Finance (2024)](https://www.bitget.com/news/detail/12560604092919)**: Domain takeover attempt prevented by registry lock
+- **[Galxe (2023)](https://help.galxe.com/en/articles/8452958-october-6th-dns-security-incident-statement-guide)**: DNS hijack resulted in over 1,100 wallets drained for $270k
+- **[Curve Finance (2022)](https://rekt.news/curve-finance-rekt)**: DNS hijacking led to $575k in stolen funds through frontend compromise
+
+These incidents highlight the critical importance of proper domain security measures and the recurring nature of these attacks.
+
+## References and Resources
+
+### Incident Response Contacts
+- [SEAL911 TG Bot](https://t.me/seal_911_bot) — Web3 emergency response team
+- Your registrar's security team (document contact info)
+- Local FBI/law enforcement cybercrime division
+
+### Standards and Best Practices
+- [NIST SP 800-81-2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81-2.pdf) — Secure DNS Deployment Guide
+- [ICANN DNSSEC Resources](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en)
+- [RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461) — MTA-STS
+- [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489) — DMARC
+- [Cloudflare DNS TTL Reference](https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl/)
+
+### Further Reading
+- [DNS Security in Web3: Attacks & Monitoring Setup Explained](https://web3secnews.substack.com/p/the-hidden-dns-threats-that-could)
+- ICANN Compliance Notices: https://www.icann.org/compliance/notices
+- GoDaddy incident: https://threatpost.com/godaddy-employees-tricked-compromise-cryptocurrency/161520/
+- Low-tech, high-impact: https://krebsonsecurity.com/2023/02/when-low-tech-hacks-cause-high-impact-breaches/
+
+---
+</TagProvider>
+<ContributeFooter />
+
+