Today, a large attack happened on global DNS.
Is there anything which can be done to maximise protection against this type of dns hijack?
This appears to be BGP hijacking. You can only mitigate that if your WAN speaks BGP protocol. ISPs speak BGP to each other...this is at the ISP level.
Even then, under normal circumstances...you might see the change...but most changes in the Global Table are usually normal.
1 Like
Yes, use DNSSEC to protect your own domains. That way someone hijacking the IP address(s) of your DNS server won't be able to publish DNS records that are accepted by a DNS resolver doing DNSSEC validation. (Use for example dnsmasq-full with dnssec enabled. https://wiki.openwrt.org/doc/uci/dhcp. )
And also use your own DNS resolver with DNSSEC validation. But this wouldn't have helped in todays attack on myetherwallet.com since it doesn't use DNSSEC.
2 Likes
Yes, Always check for HTTP-S when you use your browser, don't accept ("trust") certificates that your browser questions, and keep your browser updated.
(Yes, there are still sites that don't use TLS, but you shouldn't ever trust one of them with any personal information. Yes, there are times that you can trust your own certificate, because you know and expect it from a device that you control that you just installed.)