vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
37a867c485b26e863afdaf8dbe514dc99563add2
vm-cloudflare/playbooks/DNS-COMPROMISE-PLAYBOOK.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

300 lines
8.2 KiB
Markdown
Raw Blame History

# DNS Compromise Playbook
**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
## The Name of the Realm Has Been Rewritten
*When the true name of a domain drifts from its sovereign declaration, the mesh fractures at its foundation. This playbook restores naming authority through verified correction.*
---
## I. NIGREDO — Detection & Analysis
### Trigger Signals
The following anomalies indicate potential DNS compromise:
| Signal | Source | Severity |
|--------|--------|----------|
| Unauthorized A/AAAA record change | Cloudflare Audit Log | CRITICAL |
| NS delegation modified | Registrar / WHOIS | CRITICAL |
| DNSSEC signature invalid | External validator | CRITICAL |
| MX record redirected | Email bounce reports | HIGH |
| New TXT record (unknown) | DNS diff tool | MEDIUM |
| Unexpected CNAME chain | Telemetry bridge | MEDIUM |
### Immediate Verification Steps
```bash
# 1. Query authoritative nameservers
dig +trace @1.1.1.1 <domain> ANY
# 2. Check DNSSEC chain
dig +dnssec <domain> DNSKEY
dig +dnssec <domain> DS
# 3. Compare against VaultMesh manifest
diff <(dig +short <domain> A) <(cat dns_manifest.yml | grep -A1 "type: A" | grep content)
# 4. Verify WHOIS delegation
whois <domain> | grep -i "name server"
```
### Classification Matrix
| Scenario | Classification | Response Level |
|----------|---------------|----------------|
| Single record drift (A/CNAME) | INCIDENT | Level 2 |
| Multiple records changed | BREACH | Level 3 |
| NS delegation hijacked | CRITICAL BREACH | Level 4 |
| DNSSEC disabled/invalid | INTEGRITY FAILURE | Level 3 |
| Domain transfer initiated | SOVEREIGNTY ATTACK | Level 4 |
---
## II. ALBEDO — Containment
### Immediate Actions (First 15 Minutes)
#### 1. Lock the Domain
```bash
# Cloudflare API - Enable zone lockdown
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/security_level" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"value":"under_attack"}'
```
#### 2. Preserve Evidence
```bash
# Snapshot current DNS state
dig +noall +answer <domain> ANY > incident_$(date +%Y%m%d_%H%M%S)_dns_state.txt
# Export Cloudflare audit logs
curl -X GET "https://api.cloudflare.com/client/v4/accounts/<account_id>/audit_logs" \
-H "Authorization: Bearer <token>" > audit_snapshot.json
# Hash and anchor immediately
blake3sum incident_*.txt audit_snapshot.json >> /var/lib/vaultmesh/incidents/dns_$(date +%Y%m%d).hashes
```
#### 3. Revoke Compromised Access
- [ ] Rotate all Cloudflare API tokens
- [ ] Invalidate active sessions in dashboard
- [ ] Review and remove unknown collaborators
- [ ] Check for OAuth app authorizations
#### 4. Notify Tem (Guardian Protocol)
```json
{
"event": "dns_compromise_detected",
"domain": "<domain>",
"severity": "CRITICAL",
"timestamp": "<ISO8601>",
"evidence_hash": "<blake3_hash>",
"responder": "<operator_did>"
}
```
---
## III. CITRINITAS — Restoration
### Record Recovery Procedure
#### From VaultMesh Manifest (Preferred)
```bash
# 1. Load known-good manifest
MANIFEST="/var/lib/vaultmesh/snapshots/dns_manifest_<domain>_<last_known_good>.yml"
# 2. Validate manifest integrity
blake3sum -c /var/lib/vaultmesh/anchors/dns_hashes.log | grep $MANIFEST
# 3. Apply via Terraform
cd ~/Desktop/CLOUDFLARE/terraform
terraform plan -var-file=recovery.tfvars
terraform apply -auto-approve
```
#### Manual Recovery (If Manifest Unavailable)
```bash
# Delete malicious records
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records/<record_id>" \
-H "Authorization: Bearer <token>"
# Recreate correct records
curl -X POST "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records" \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "@",
"content": "<correct_ip>",
"proxied": true
}'
```
### DNSSEC Re-establishment
```bash
# 1. Regenerate DNSSEC keys (if compromised)
# Via Cloudflare Dashboard: DNS > Settings > DNSSEC > Disable then Re-enable
# 2. Update DS record at registrar
# New DS record will be shown in Cloudflare dashboard
# 3. Verify propagation
dig +dnssec <domain> DNSKEY
```
### NS Delegation Recovery (Critical)
If nameservers were hijacked:
1. **Contact registrar immediately** - Use out-of-band verification
2. **Provide proof of ownership** - Domain verification documents
3. **Request delegation reset** - Point NS back to Cloudflare
4. **Enable registrar lock** - Prevent future transfers
5. **Set up registrar alerts** - Email/SMS for any changes
---
## IV. RUBEDO — Verification & Anchoring
### Post-Recovery Verification
```bash
# 1. Full DNS validation
for record_type in A AAAA CNAME MX TXT NS; do
echo "=== $record_type ===" >> verification_report.txt
dig +short <domain> $record_type >> verification_report.txt
done
# 2. DNSSEC chain validation
dnsviz probe <domain> -o dnsviz_output.json
dnsviz print -r dnsviz_output.json
# 3. Compare to manifest
python3 scripts/dns-drift-check.py --domain <domain> --manifest dns_manifest.yml
# 4. External verification (multiple resolvers)
for resolver in 1.1.1.1 8.8.8.8 9.9.9.9; do
dig @$resolver <domain> A +short
done
```
### Emit Restoration Receipt
```json
{
"receipt_type": "dns_restoration",
"schema_version": "vm_dns_restoration_v1",
"domain": "<domain>",
"incident_id": "<uuid>",
"timestamp": "<ISO8601>",
"records_restored": [
{"type": "A", "name": "@", "value": "<ip>"},
{"type": "MX", "name": "@", "value": "<mx_host>"}
],
"manifest_hash": "<blake3_of_applied_manifest>",
"verification_hash": "<blake3_of_verification_report>",
"operator_did": "did:vm:operator:<id>",
"guardian_sign": "<tem_signature>"
}
```
### Anchor to ProofChain
```bash
# Compute Merkle root of incident artifacts
merkle_root=$(cat incident_*.txt audit_snapshot.json verification_report.txt | blake3sum | cut -d' ' -f1)
# Anchor
echo "{\"type\":\"dns_incident_anchor\",\"merkle_root\":\"$merkle_root\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" \
>> /var/lib/vaultmesh/proofchain/anchors.jsonl
```
---
## V. Post-Incident Governance
### Mandatory Actions (Within 24 Hours)
- [ ] Full API token rotation completed
- [ ] Registrar 2FA verified/upgraded
- [ ] Transfer lock enabled at registrar
- [ ] DNSSEC re-validated
- [ ] All DNS records match manifest
- [ ] VaultMesh receipts emitted
- [ ] ProofChain anchor verified
- [ ] Incident report drafted
### Root Cause Analysis Template
```markdown
## DNS Compromise RCA - <domain> - <date>
### Timeline
- T-0: <Detection timestamp and method>
- T+5m: <Containment actions>
- T+30m: <Recovery initiated>
- T+Xh: <Full restoration verified>
### Attack Vector
<How did the attacker gain access?>
### Records Affected
| Record | Original | Malicious | Duration |
|--------|----------|-----------|----------|
### Impact Assessment
- Traffic redirected: <estimate>
- Data exposure risk: <assessment>
- Reputation impact: <assessment>
### Prevention Measures
1. <Specific improvement>
2. <Specific improvement>
3. <Specific improvement>
### Artifacts
- Audit log hash: <hash>
- Incident snapshot hash: <hash>
- Restoration receipt: <receipt_id>
```
### Monitoring Enhancements
After any DNS compromise, implement:
1. **Real-time DNS monitoring** - External service checking every 60s
2. **Certificate Transparency alerts** - Monitor for unauthorized certs
3. **Passive DNS feeds** - Historical record tracking
4. **VaultMesh drift detection** - Automated manifest comparison
---
## VI. Escalation Contacts
| Role | Contact | When |
|------|---------|------|
| Cloudflare Support | dash.cloudflare.com/support | Zone-level issues |
| Registrar Security | <registrar_security_email> | Delegation attacks |
| Tem Guardian | internal protocol | All incidents |
| Legal | <legal_contact> | Data exposure suspected |
---
## VII. The Covenant Restored
*When the name is reclaimed and verified against the manifest, sovereignty returns to the realm. The drift has been corrected, the proof anchored, and the mesh made whole again.*
**Incident closure requires:**
- All verification checks passing
- VaultMesh receipt emitted and signed
- ProofChain anchor confirmed
- RCA completed and filed
---
**Document Version**: 1.0
**Last Updated**: <date>
**Guardian**: Tem
Reference in New Issue View Git Blame Copy Permalink