DNS is a Thing that People Hack Now, I Made an Open-Source App to Help

dmerand profile image Donald Merand ・3 min read

(Cross-posted at https://donald.merand.org/code/2020/01/30/dns-is-a-thing.html)

This article about recent DNS hijacking attacks is a wake-up call. I recommend you read it, but here's a bit of a summary in case you're not a big link-clicker (emphasis mine):

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a ... social engineering ruse — and without triggering any verification to the real owners of the domain.

These folks were able to hijack DNS using old-fashioned social engineering techniques. They got a domain registrar to transfer a domain over the phone! Then they stole all of the data. Okay, there's a lot more to it, you should maybe go read the article...

The big take-home actions for me (they're listed at the end of that article) were:

  1. Set up multi-factor authentication at your domain registrar. If they don't do multi-factor, consider changing to a registrar that does, because you are now at risk due to their lax security.
  2. Configure DNSSEC signing zones + validating responses. See above if your registrar doesn't have this.
  3. Lock your domains with a domain lock. This is different from a "transfer lock" because it requires a laborious personal contact process to undo. This is what you want once your domain is configured correctly. Don't do it until you've got things configured correctly!
  4. Monitor your DNS

On that last point, I have some news for you:

DNS-Monitor, a New Ruby-Based CLI Tool

I found myself wishing that I had a little robot to monitor all of my hostnames and warn me if there were any changes to them. So, I wrote that app yesterday and open-sourced it as the DNS-Monitor Gem. The big thing you get is a command-line utility called dns-monitor. Here's how it works:

  1. You feed it a text file with all of your host names (just one line per host).
  2. You figure out the RDAP (JSON WHOIS) endpoint of your domain registrar. I've done zero research on who uses RDAP, but it seems like a thing many of them use? At EXPLO we use Pair Networks, so I put their server in as a default, but you can change it with the -u or --rdap_url flag.
    • Note that in the current configuration, I'm assuming only one registrar (because that's what we have). Send a pull request if you'd like to add the ability for multiple RDAP servers! :)
  3. You run the app like this: dns-monitor --check or dns-monitor -c. It will run through your list of hosts, and compare the current RDAP (WHOIS) value for that host with a (SQLite3) database of previous values.
  4. The output of the program is a JSON array of all of your domain RDAP (WHOIS) information, with a diff showing changes for any domains that have them.
  5. At EXPLO we use Google Hangouts Chat for 'bot notifications, and Mandrill for transactional email, so I put in some extra functionality for those two things. If you send a Mandrill API key + email you can get email notifications if any domain has changed. But even if you use neither of those things, you can just pipe the program output into whichever utility you do use.

We at EXPLO are using it currently, and it works pretty well for our use case. If you'd like to give it a try, just gem install dns-monitor to get it for yourself. Here's an example cron script for how we use it in practice. It does some extra work to specify where the hosts.txt and database files live:

In summary, DNS is scary now, I hope this helps. Send me a note if you end up using it!

Posted on Jan 30 by:

dmerand profile

Donald Merand


Director of Tech-sploration at EXPLO (www.explo.org)


At its heart, EXPLO inspires students to challenge themselves, discover the world of people and ideas, and experience the joy of learning.


markdown guide