Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.

Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.

What we also know as experts in DNS is that there are many ways to skin a cat, as they say.

#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/disrupting-fast-flux-and-much-more-with-protective-dns/

Somebody, somewhere must occasionally still be falling for the .cn domain name scam, one from simon@netdomains.net.cn inboxed here today.

See https://nxdomain.no/~peter/domain_name_scams_are_alive_and_well_thank_you.html for an overview of the shitheadery. #dns #scams #domainnamescam #cndomains #netdomains #cybercrime #spam

New blog post up ➱ https://sij.law/vpn-vitals-scripts/

Mit der Rückkehr von Donald #Trump ins Weiße Haus wird die Abhängigkeit von #US-#Cloud-Diensten zu einem wachsenden Problem.
Denn der
#CloudAct zwingt US-amerikanische Firmen Anweisungen von US-Behörden Folge zu leisten, ganz gleich wo deren #Server stehen.

Nicht nur Staaten und Unternehmen, sondern auch Privatpersonen sind betroffen.

Angefangen bei #Datenspeichern über #Online-#Office-Anwendungen bis zu grundlegenden Internetdiensten wie #DNS oder Zertifizierungsstellen.

Es betrifft selbst smarte Geräte wie #WLAN-Steckdosen, wenn deren zentralen Dienste auf einem #Hyperscaler wie #Amazon #AWS oder #Microsoft #Azure liegen.

Doch es gibt Möglichkeiten, den #Datenabfluss zu minimieren und #Alternativen zu nutzen.

Welche das sind, erläutert c’t Redakteur Peter Siering. Die Optionen reichen von #Suchmaschinen über europäische Cloud-Speicher und Open-Source-Projekte bis zu dezentralen, sichereren #Messengern.

https://www.youtube.com/watch?v=5i2eLjLKl2s

@switchingsoftware

@bfdi !!
@bsi !!

It is a feature to not use a two letter top level cc domain. You may stay under the radar.

Friendly reminder that you should be blocking all newly registered domains for your end users. Free lists like the NRD (https://github.com/xRuffKez/NRD) exist. Microsoft Defender for Endpoint also has a built in list you can enable via policy.

IMO everyone should do 365 days but even 30 or 90 will save you so much headache.
#DNS #ThreatIntel #FastFlux

Meine Datenschutz und Privatsphäre Übersicht 2025, für die Allgemeinheit

Teilen er­be­ten

als PDF:

https://cryptpad.digitalcourage.de/file/#/2/file/NdmBgSYkRCto8B+JmJkE9mQ4/

 #DSGVO #TDDDG ( #unplugtrump )
#Datenschutz #Privatsphäre #sicherheit #Verschlüsselung
#encryption #WEtell #SoloKey #NitroKey #Email #Cybersecurity #Pixelfed #Massenűberwachung
#Google #Metadaten #WhatsApp #Threema #Cryptpad #Signal
#Hateaid #Cyberstalking #Messenger #Browser #Youtube #NewPipe #Chatkontrolle #nichtszuverbergen #ÜberwachungsKapitalismus #Microsoft #Apple #Windows #Linux #Matrix #Mastodon #Friendica #Fediverse #Mastodir #Loops #2FA #Ransomware #Foss #VeraCrypt #HateAid #Coreboot #Volksverpetzer #Netzpolitik #Digitalisierung #FragdenStaat #Shiftphone  #OpenSource #GrapheneOS #CCC #Mail #Mullvad #PGP #GnuPG #DNS #Gaming #linuxgaming #Lutris #Protondb #eOS #Enshittification
#Bloatware #TPM #Murena  #LiberaPay #GnuTaler #Taler #PreppingforFuture
#FediLZ #BlueLZ #InstaLZ #ThreatModel
#FLOSS #UEFI #Medienkompetenz

Any #DNS folks know if Authenticated DNS over TLS to Authoritative Servers (ADoT) is going anywhere? Doesn’t look like recent activity on the drafts since 2022

https://www.ietf.org/archive/id/draft-dickson-dprive-adot-auth-06.html

https://datatracker.ietf.org/doc/html/draft-hal-adot-operational-considerations-00.html

In a world where things can feel topsy-turvy...we've decided to turn everything on its head today. Join the movement!

Upgraded all four of my pihole instances to v6. They’re working perfectly!

I love how a bunch of the “advanced” settings are now available from the UI. It makes initial set up so much easier.

Our Quad9 documentation is now also available in #Romanian (https://docs.quad9.net/ro/) thanks to the help of our friend, Toma Minea (https://www.linkedin.com/in/toma-minea-86900582/).

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

blog! “How to prevent Payment Pointer fraud”

There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.

The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:

<link rel="monetization"…

Read more: https://shkspr.mobi/blog/2025/03/how-to-prevent-payment-pointer-fraud/
⸻
#CyberSecurity #dns #HTML #standards #WebMonitization

howdy, #hachyderm!

over the last week or so, we've been preparing to move hachy's #DNS zones from #AWS route 53 to bunny DNS.

since this could be a pretty scary thing -- going from one geo-DNS provider to another -- we want to make sure *before* we move that records are resolving in a reasonable way across the globe.

to help us to do this, we've started a small, lightweight tool that we can deploy to a provider like bunny's magic containers to quickly get DNS resolution info from multiple geographic regions quickly. we then write this data to a backend S3 bucket, at which point we can use a tool like #duckdb to analyze the results and find records we need to tweak to improve performance. all *before* we make the change.

then, after we've flipped the switch and while DNS is propagating -- -- we can watch in real-time as different servers begin flipping over to the new provider.

we named the tool hachyboop and it's available publicly --> https://github.com/hachyderm/hachyboop

please keep in mind that it's early in the booper's life, and there's a lot we can do, including cleaning up my hacky code.

attached is an example of a quick run across 17 regions for a few minutes. the data is spread across multiple files but duckdb makes it quite easy for us to query everything like it's one table.

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

Great blog from our friends at #MaxMind about how we use their #GeoIP data to identify regions that are in the most need of our services! All while maintaining our strict privacy standards.

https://blog.maxmind.com/2025/03/how-open-dns-recursive-service-quad9-uses-maxmind-data-to-understand-usage-patterns-and-secure-funding/

I’ve been asked a few times over the course of the same amount of days, what would happen if the powers that be began deleting top-level domains (TLDs) from the DNS system, and whether there is something we (e.g. Asians, Africans, Europeans, Canadians, South Americans, Australians, etc.) could do about it.

A very theoretical scenario, DNS edition

https://jpmens.net/2025/03/27/theoretical-scenario-dns-edition/

"Nope: Strengthening Domain Authentication with Succinct Proofs"

https://nope-tools.org/nope.pdf

Basically:
domain owner #DNSSEC signs their name, then encodes a proof of that DNSSEC chain into a new domain name, stashes that in a SAN in the cert and wants the client to verify the proof against... the root ZSK? Which it fetches via DoH from Google DNS, but... doesn't verify?

Not sure I get it.

Another round of “hey, your server is down!” drama from the "we need moar kubernetes!" crowd.

“I can’t reach your server, it must be down.”

I connect. Everything’s fine.

A few emails later, I ask to access the container. The dev says he can’t - doesn’t know how. He’s a nice guy, though, so he gives me the credentials.

I log in and find the issue: someone pushed a workload to production (cue Kubernetes! Moooaaarrr powaaaarrr! We have the cloud! Who needs sysadmins anymore?!) with DNS set to 192.168.1.1.

Of course, it fell to me to investigate, because the dev couldn’t even get a shell inside his container. And it's ok, as he's a dev - and just wants to be a dev.

Once I pointed it out, they rebuilt the container with the correct config and - TADA! - everything worked again.

Then he went to check other workloads (for other clients, not managed by me) that had been having issues for weeks... Same problem.

It was DNS.
But it wasn't DNS.