# DNS Compromise Playbook **Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md) ## The Name of the Realm Has Been Rewritten *When the true name of a domain drifts from its sovereign declaration, the mesh fractures at its foundation. This playbook restores naming authority through verified correction.* --- ## I. NIGREDO — Detection & Analysis ### Trigger Signals The following anomalies indicate potential DNS compromise: | Signal | Source | Severity | |--------|--------|----------| | Unauthorized A/AAAA record change | Cloudflare Audit Log | CRITICAL | | NS delegation modified | Registrar / WHOIS | CRITICAL | | DNSSEC signature invalid | External validator | CRITICAL | | MX record redirected | Email bounce reports | HIGH | | New TXT record (unknown) | DNS diff tool | MEDIUM | | Unexpected CNAME chain | Telemetry bridge | MEDIUM | ### Immediate Verification Steps ```bash # 1. Query authoritative nameservers dig +trace @1.1.1.1 ANY # 2. Check DNSSEC chain dig +dnssec DNSKEY dig +dnssec DS # 3. Compare against VaultMesh manifest diff <(dig +short A) <(cat dns_manifest.yml | grep -A1 "type: A" | grep content) # 4. Verify WHOIS delegation whois | grep -i "name server" ``` ### Classification Matrix | Scenario | Classification | Response Level | |----------|---------------|----------------| | Single record drift (A/CNAME) | INCIDENT | Level 2 | | Multiple records changed | BREACH | Level 3 | | NS delegation hijacked | CRITICAL BREACH | Level 4 | | DNSSEC disabled/invalid | INTEGRITY FAILURE | Level 3 | | Domain transfer initiated | SOVEREIGNTY ATTACK | Level 4 | --- ## II. ALBEDO — Containment ### Immediate Actions (First 15 Minutes) #### 1. Lock the Domain ```bash # Cloudflare API - Enable zone lockdown curl -X PATCH "https://api.cloudflare.com/client/v4/zones//settings/security_level" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ --data '{"value":"under_attack"}' ``` #### 2. Preserve Evidence ```bash # Snapshot current DNS state dig +noall +answer ANY > incident_$(date +%Y%m%d_%H%M%S)_dns_state.txt # Export Cloudflare audit logs curl -X GET "https://api.cloudflare.com/client/v4/accounts//audit_logs" \ -H "Authorization: Bearer " > audit_snapshot.json # Hash and anchor immediately blake3sum incident_*.txt audit_snapshot.json >> /var/lib/vaultmesh/incidents/dns_$(date +%Y%m%d).hashes ``` #### 3. Revoke Compromised Access - [ ] Rotate all Cloudflare API tokens - [ ] Invalidate active sessions in dashboard - [ ] Review and remove unknown collaborators - [ ] Check for OAuth app authorizations #### 4. Notify Tem (Guardian Protocol) ```json { "event": "dns_compromise_detected", "domain": "", "severity": "CRITICAL", "timestamp": "", "evidence_hash": "", "responder": "" } ``` --- ## III. CITRINITAS — Restoration ### Record Recovery Procedure #### From VaultMesh Manifest (Preferred) ```bash # 1. Load known-good manifest MANIFEST="/var/lib/vaultmesh/snapshots/dns_manifest__.yml" # 2. Validate manifest integrity blake3sum -c /var/lib/vaultmesh/anchors/dns_hashes.log | grep $MANIFEST # 3. Apply via Terraform cd ~/Desktop/CLOUDFLARE/terraform terraform plan -var-file=recovery.tfvars terraform apply -auto-approve ``` #### Manual Recovery (If Manifest Unavailable) ```bash # Delete malicious records curl -X DELETE "https://api.cloudflare.com/client/v4/zones//dns_records/" \ -H "Authorization: Bearer " # Recreate correct records curl -X POST "https://api.cloudflare.com/client/v4/zones//dns_records" \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ --data '{ "type": "A", "name": "@", "content": "", "proxied": true }' ``` ### DNSSEC Re-establishment ```bash # 1. Regenerate DNSSEC keys (if compromised) # Via Cloudflare Dashboard: DNS > Settings > DNSSEC > Disable then Re-enable # 2. Update DS record at registrar # New DS record will be shown in Cloudflare dashboard # 3. Verify propagation dig +dnssec DNSKEY ``` ### NS Delegation Recovery (Critical) If nameservers were hijacked: 1. **Contact registrar immediately** - Use out-of-band verification 2. **Provide proof of ownership** - Domain verification documents 3. **Request delegation reset** - Point NS back to Cloudflare 4. **Enable registrar lock** - Prevent future transfers 5. **Set up registrar alerts** - Email/SMS for any changes --- ## IV. RUBEDO — Verification & Anchoring ### Post-Recovery Verification ```bash # 1. Full DNS validation for record_type in A AAAA CNAME MX TXT NS; do echo "=== $record_type ===" >> verification_report.txt dig +short $record_type >> verification_report.txt done # 2. DNSSEC chain validation dnsviz probe -o dnsviz_output.json dnsviz print -r dnsviz_output.json # 3. Compare to manifest python3 scripts/dns-drift-check.py --domain --manifest dns_manifest.yml # 4. External verification (multiple resolvers) for resolver in 1.1.1.1 8.8.8.8 9.9.9.9; do dig @$resolver A +short done ``` ### Emit Restoration Receipt ```json { "receipt_type": "dns_restoration", "schema_version": "vm_dns_restoration_v1", "domain": "", "incident_id": "", "timestamp": "", "records_restored": [ {"type": "A", "name": "@", "value": ""}, {"type": "MX", "name": "@", "value": ""} ], "manifest_hash": "", "verification_hash": "", "operator_did": "did:vm:operator:", "guardian_sign": "" } ``` ### Anchor to ProofChain ```bash # Compute Merkle root of incident artifacts merkle_root=$(cat incident_*.txt audit_snapshot.json verification_report.txt | blake3sum | cut -d' ' -f1) # Anchor echo "{\"type\":\"dns_incident_anchor\",\"merkle_root\":\"$merkle_root\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" \ >> /var/lib/vaultmesh/proofchain/anchors.jsonl ``` --- ## V. Post-Incident Governance ### Mandatory Actions (Within 24 Hours) - [ ] Full API token rotation completed - [ ] Registrar 2FA verified/upgraded - [ ] Transfer lock enabled at registrar - [ ] DNSSEC re-validated - [ ] All DNS records match manifest - [ ] VaultMesh receipts emitted - [ ] ProofChain anchor verified - [ ] Incident report drafted ### Root Cause Analysis Template ```markdown ## DNS Compromise RCA - - ### Timeline - T-0: - T+5m: - T+30m: - T+Xh: ### Attack Vector ### Records Affected | Record | Original | Malicious | Duration | |--------|----------|-----------|----------| ### Impact Assessment - Traffic redirected: - Data exposure risk: - Reputation impact: ### Prevention Measures 1. 2. 3. ### Artifacts - Audit log hash: - Incident snapshot hash: - Restoration receipt: ``` ### Monitoring Enhancements After any DNS compromise, implement: 1. **Real-time DNS monitoring** - External service checking every 60s 2. **Certificate Transparency alerts** - Monitor for unauthorized certs 3. **Passive DNS feeds** - Historical record tracking 4. **VaultMesh drift detection** - Automated manifest comparison --- ## VI. Escalation Contacts | Role | Contact | When | |------|---------|------| | Cloudflare Support | dash.cloudflare.com/support | Zone-level issues | | Registrar Security | | Delegation attacks | | Tem Guardian | internal protocol | All incidents | | Legal | | Data exposure suspected | --- ## VII. The Covenant Restored *When the name is reclaimed and verified against the manifest, sovereignty returns to the realm. The drift has been corrected, the proof anchored, and the mesh made whole again.* **Incident closure requires:** - All verification checks passing - VaultMesh receipt emitted and signed - ProofChain anchor confirmed - RCA completed and filed --- **Document Version**: 1.0 **Last Updated**: **Guardian**: Tem