MoinQ:

1. DNS/hijacking/対策

これが対策と言えるのだろうか。 https://dnsops.jp/event/20180627/ドメイン名ハイジャックされないために.pdf

ドメイン名ハイジャック •攻撃者にドメイン名がトランスファーされてしまい、管理権限を乗っ取られること。

この定義では不十分なことははっきりした。 -- ToshinoriMaeno 2019-04-07 07:46:06

2019-04-08 piyolog 不正移管によるドメイン名ハイジャックについてまとめてみた https://piyolog.hatenadiary.jp/entry/2019/04/08/053000

海外では2要素認証の導入が進行中だ。-- ToshinoriMaeno 2019-05-07 01:25:49

/ドメイン権利者がすべきこと

1.1. sea turtle

How to Avoid the New DNS Hijacking Attacks By: Wayne Rash | April 22, 2019 https://www.eweek.com/security/how-to-avoid-the-new-dns-hijacking-attacks

対策例

なりすまし対策には証明書が重要だ。

-- ToshinoriMaeno 2019-05-06 00:46:39

1.2. DHS CISA

https://www.us-cert.gov/ncas/alerts/AA19-024A

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:

1.3. tweet

https://twitter.com/beevek/status/1118848324591865856

- Monitor critical DNS records (NS, DS, ...)
- Alert on changes w/ DNS audit logs & 3rd party monitoring
- DNSSEC sign zones
- MFA, unique pws, IP whitelisting @ registrars & DNS
- Dual DNS networks
- Security minded registrars & DNS providers

Kris Beeversさんが追加

1.4. Schneir

blogのコメントが参考になる。-- ToshinoriMaeno 2019-05-06 01:33:49

Schneier Blog

New DNS Hijacking Attacks https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html21:06 - 2019年4月18日

New DNS Hijacking Attacks https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html

https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html#c6791456 Cormacolinde • April 18, 2019 8:02 AM

I’ve been thinking about how to block these attacks for a while now and at least you need to do the following to detect and limit your exposure:

- Monitor your DNS! Make sure you monitor your NS glue records and other critical records.
- Create a CAA record to prevent someone using a different CA to get certificates.
- Use DNSSEC to sign your DNS zone.

But in order to protect yourself from this kind of attack completely, you might be better using an internal CA for all internal systems, and use certificate pinning.

And obviously some sort of tunneled DNS client would help. I know the Cisco Umbrella client does this, but there’s probably others.

1.5. nominet.uk

Cath Goulding CISO How to keep out the DNS Hijackers 16th April 2019 https://www.nominet.uk/how-to-keep-out-the-dns-hijackers/

Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA.