vm-cloudflare/playbooks/DNS-COMPROMISE-PLAYBOOK.md

DNS Compromise Playbook

Incident Response | Governed by RED-BOOK.md

The Name of the Realm Has Been Rewritten

When the true name of a domain drifts from its sovereign declaration, the mesh fractures at its foundation. This playbook restores naming authority through verified correction.

---

I. NIGREDO — Detection & Analysis

Trigger Signals

The following anomalies indicate potential DNS compromise:

Signal	Source	Severity
Unauthorized A/AAAA record change	Cloudflare Audit Log	CRITICAL
NS delegation modified	Registrar / WHOIS	CRITICAL
DNSSEC signature invalid	External validator	CRITICAL
MX record redirected	Email bounce reports	HIGH
New TXT record (unknown)	DNS diff tool	MEDIUM
Unexpected CNAME chain	Telemetry bridge	MEDIUM

Immediate Verification Steps

# 1. Query authoritative nameservers
dig +trace @1.1.1.1 <domain> ANY

# 2. Check DNSSEC chain
dig +dnssec <domain> DNSKEY
dig +dnssec <domain> DS

# 3. Compare against VaultMesh manifest
diff <(dig +short <domain> A) <(cat dns_manifest.yml | grep -A1 "type: A" | grep content)

# 4. Verify WHOIS delegation
whois <domain> | grep -i "name server"

Classification Matrix

Scenario	Classification	Response Level
Single record drift (A/CNAME)	INCIDENT	Level 2
Multiple records changed	BREACH	Level 3
NS delegation hijacked	CRITICAL BREACH	Level 4
DNSSEC disabled/invalid	INTEGRITY FAILURE	Level 3
Domain transfer initiated	SOVEREIGNTY ATTACK	Level 4

---

II. ALBEDO — Containment

Immediate Actions (First 15 Minutes)

1. Lock the Domain

# Cloudflare API - Enable zone lockdown
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<zone_id>/settings/security_level" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  --data '{"value":"under_attack"}'

2. Preserve Evidence

# Snapshot current DNS state
dig +noall +answer <domain> ANY > incident_$(date +%Y%m%d_%H%M%S)_dns_state.txt

# Export Cloudflare audit logs
curl -X GET "https://api.cloudflare.com/client/v4/accounts/<account_id>/audit_logs" \
  -H "Authorization: Bearer <token>" > audit_snapshot.json

# Hash and anchor immediately
blake3sum incident_*.txt audit_snapshot.json >> /var/lib/vaultmesh/incidents/dns_$(date +%Y%m%d).hashes

3. Revoke Compromised Access

• Rotate all Cloudflare API tokens
• Invalidate active sessions in dashboard
• Review and remove unknown collaborators
• Check for OAuth app authorizations

4. Notify Tem (Guardian Protocol)

{
  "event": "dns_compromise_detected",
  "domain": "<domain>",
  "severity": "CRITICAL",
  "timestamp": "<ISO8601>",
  "evidence_hash": "<blake3_hash>",
  "responder": "<operator_did>"
}

---

III. CITRINITAS — Restoration

Record Recovery Procedure

From VaultMesh Manifest (Preferred)

# 1. Load known-good manifest
MANIFEST="/var/lib/vaultmesh/snapshots/dns_manifest_<domain>_<last_known_good>.yml"

# 2. Validate manifest integrity
blake3sum -c /var/lib/vaultmesh/anchors/dns_hashes.log | grep $MANIFEST

# 3. Apply via Terraform
cd ~/Desktop/CLOUDFLARE/terraform
terraform plan -var-file=recovery.tfvars
terraform apply -auto-approve

Manual Recovery (If Manifest Unavailable)

# Delete malicious records
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records/<record_id>" \
  -H "Authorization: Bearer <token>"

# Recreate correct records
curl -X POST "https://api.cloudflare.com/client/v4/zones/<zone_id>/dns_records" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "A",
    "name": "@",
    "content": "<correct_ip>",
    "proxied": true
  }'

DNSSEC Re-establishment

# 1. Regenerate DNSSEC keys (if compromised)
# Via Cloudflare Dashboard: DNS > Settings > DNSSEC > Disable then Re-enable

# 2. Update DS record at registrar
# New DS record will be shown in Cloudflare dashboard

# 3. Verify propagation
dig +dnssec <domain> DNSKEY

NS Delegation Recovery (Critical)

If nameservers were hijacked:

1. Contact registrar immediately - Use out-of-band verification
2. Provide proof of ownership - Domain verification documents
3. Request delegation reset - Point NS back to Cloudflare
4. Enable registrar lock - Prevent future transfers
5. Set up registrar alerts - Email/SMS for any changes

---

IV. RUBEDO — Verification & Anchoring

Post-Recovery Verification

# 1. Full DNS validation
for record_type in A AAAA CNAME MX TXT NS; do
  echo "=== $record_type ===" >> verification_report.txt
  dig +short <domain> $record_type >> verification_report.txt
done

# 2. DNSSEC chain validation
dnsviz probe <domain> -o dnsviz_output.json
dnsviz print -r dnsviz_output.json

# 3. Compare to manifest
python3 scripts/dns-drift-check.py --domain <domain> --manifest dns_manifest.yml

# 4. External verification (multiple resolvers)
for resolver in 1.1.1.1 8.8.8.8 9.9.9.9; do
  dig @$resolver <domain> A +short
done

Emit Restoration Receipt

{
  "receipt_type": "dns_restoration",
  "schema_version": "vm_dns_restoration_v1",
  "domain": "<domain>",
  "incident_id": "<uuid>",
  "timestamp": "<ISO8601>",
  "records_restored": [
    {"type": "A", "name": "@", "value": "<ip>"},
    {"type": "MX", "name": "@", "value": "<mx_host>"}
  ],
  "manifest_hash": "<blake3_of_applied_manifest>",
  "verification_hash": "<blake3_of_verification_report>",
  "operator_did": "did:vm:operator:<id>",
  "guardian_sign": "<tem_signature>"
}

Anchor to ProofChain

# Compute Merkle root of incident artifacts
merkle_root=$(cat incident_*.txt audit_snapshot.json verification_report.txt | blake3sum | cut -d' ' -f1)

# Anchor
echo "{\"type\":\"dns_incident_anchor\",\"merkle_root\":\"$merkle_root\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" \
  >> /var/lib/vaultmesh/proofchain/anchors.jsonl

---

V. Post-Incident Governance

Mandatory Actions (Within 24 Hours)

• Full API token rotation completed
• Registrar 2FA verified/upgraded
• Transfer lock enabled at registrar
• DNSSEC re-validated
• All DNS records match manifest
• VaultMesh receipts emitted
• ProofChain anchor verified
• Incident report drafted

Root Cause Analysis Template

## DNS Compromise RCA - <domain> - <date>

### Timeline
- T-0: <Detection timestamp and method>
- T+5m: <Containment actions>
- T+30m: <Recovery initiated>
- T+Xh: <Full restoration verified>

### Attack Vector
<How did the attacker gain access?>

### Records Affected
| Record | Original | Malicious | Duration |
|--------|----------|-----------|----------|

### Impact Assessment
- Traffic redirected: <estimate>
- Data exposure risk: <assessment>
- Reputation impact: <assessment>

### Prevention Measures
1. <Specific improvement>
2. <Specific improvement>
3. <Specific improvement>

### Artifacts
- Audit log hash: <hash>
- Incident snapshot hash: <hash>
- Restoration receipt: <receipt_id>

Monitoring Enhancements

After any DNS compromise, implement:

1. Real-time DNS monitoring - External service checking every 60s
2. Certificate Transparency alerts - Monitor for unauthorized certs
3. Passive DNS feeds - Historical record tracking
4. VaultMesh drift detection - Automated manifest comparison

---

VI. Escalation Contacts

Role	Contact	When
Cloudflare Support	dash.cloudflare.com/support	Zone-level issues
Registrar Security	<registrar_security_email>	Delegation attacks
Tem Guardian	internal protocol	All incidents
Legal	<legal_contact>	Data exposure suspected

---

VII. The Covenant Restored

When the name is reclaimed and verified against the manifest, sovereignty returns to the realm. The drift has been corrected, the proof anchored, and the mesh made whole again.

Incident closure requires:

• All verification checks passing
• VaultMesh receipt emitted and signed
• ProofChain anchor confirmed
• RCA completed and filed

---

Document Version: 1.0 Last Updated: Guardian: Tem