investigate kreb's advice on DNS hijacking
After reviewing this article about recent DNS hijacking incidents, I think it might be worth reviewing the recommendations given in the article, which are basically:
- use DNSSEC
- Use registration features like Registry Lock that can help protect domain names records from being changed
- Use access control lists for applications, Internet traffic and monitoring
- Use 2-factor authentication, and require it to be used by all relevant users and subcontractors
- In cases where passwords are used, pick unique passwords and consider password managers
- Review accounts with registrars and other providers
- Monitor certificates by monitoring, for example, Certificate Transparency Logs
Some of those are impractical: for example 2FA will not work for us if we have one shared account with a provider.
Others have already been done: we have a good DNSSEC deployment and manage passwords properly.
Mainly, I'm curious about investigating Registry lock and CT logs monitoring, the latter which could be added as a Nagios thing, maybe.