I suppose the first thing DNS administrators should learn is what Tomiris is, since as of just a few days ago, I had no idea. Tomiris is malware recently identified by researchers at Kaspersky’s Global Research and Analysis Team (GReAT). Tomiris is relevant to DNS administrators because it spread by capitalizing on what was probably the compromise of registrar accounts.
Tomiris spread thanks to a compromise that enabled the bad guys to modify the delegation for the domains of a Central Asian government, possibly Kyrgyzstan or Kazakhstan. By changing the delegation of these government domains, the attackers were able to induce Let’s Encrypt to issue legitimate TLS certificates that they could then install on mail servers, which then intercepted email sent to government email addresses. This is similar to the DNSpionage attack of 2019, in which suspected Iranian hackers used compromised registrar credentials to intercept email and VPN credentials from government agencies and companies across the Middle East.
There are a few lessons DNS administrators should learn from this: First, use a registrar that requires multifactor authentication for customer accounts. There’s simply no excuse today for not supporting MFA. If your registrar doesn’t, leave.
Second, lock your domains. Depending on your registrar and the registry that manages your parent zone, there may be a few types of locks available to you. The registrar CSC has a writeup to help you understand the differences, but the short answer is that a registry lock, if it’s available, is more effective at preventing unauthorized changes to your domain’s delegation.
Finally, monitor the delegation to your critical domains. If you use MFA and a registry lock, you’ll make it harder for a hacker to change your delegation. But if they manage to slip through these defenses, you’ll want to know as quickly as possible. Monitoring your delegation is a good way to do this. And it isn’t hard: You could whip up a script to run dig NS <your-domain> periodically against your parent zone’s DNS servers and then compare the result with the NS records in the authoritative zone. Infoblox even includes a feature to do this in NIOS, called DNS Integrity Check. It’ll alert you if your zone’s parents ever report a different set of NS records from those in NIOS’s database.
