Domain Name System (DNS) infrastructure hijacking is where an attacker using the compromised credentials, modifies the DNS records like Name Server (NS), Mail Exchanger (MX), Address (A), and replaces the legitimate address with the address that attacker has control.

Once hijacked, the domain name starts resolving to the attacker's controlled infrastructure. Attacker can then obtain valid X.509 certificates for TLS encryption from the certificate authority like LetsEncrypt and gain visitors trust by allowing to continue to establish trusted connection. Once the connection is established, attacker can decrypt, intercept and manipulate web, email and other network traffic before passing on to the legitimate service.

Best practices to help safeguard against this threat

  • Always audit DNS records regularly to verify they are resolving to the intended location.
  • Ensure to update password for the accounts that can modify your DNS records. This will stop unauthorized access to accounts that attacker might already have access to.
  • If your DNS registrar offers multi-factor authentication in their portals, make sure you enable it.
  • Search and identify X.509 certificates issued to your domain and revoke any fraudulently requested certificates.

Coocoor monitors your DNS infrastructure against these threats and provides you with alerts so you can take action before it affects your customers.