Why implicit trust in DNS servers you do not control is bad, and what to do instead:
As part of a recent malicious campaign focused on government agencies, telecom and infrastructure organizations attackers have been leveraging compromised DNS servers. This gave them control over any zone you visited and allowed to intercept any https based traffic by leveraging the DNS hijacking with transparent proxies and valid Let’s Encrypt certificates. Protect yourself with Infoblox’s ActiveTrust Cloud from DNS hijacking and benefit from the security offered by Infoblox’s recursive SaaS solution.
What can you do to protect your brand and your customers from falling victim to DNS hijacking:
The first level of protection for your users and customer is to deploy DNSSEC. By signing your zones you allow anyone to validate your DNS data and ensure it has not been hijacked. If you are looking for Next Level Security then you can leverage Infoblox’s support for CAA records, which help with securing your https certificates. If you had CAA DNS records in place then this campaign would not have been possible as no Certificate Authority is permitted to provide certificates that contradict the CAA records.
With Infoblox you can be on the forefront of change and deploy DANE/TLSA to boost your organization’s security footprint and benefit from state of the art decentralized security that even a compromised CA cannot prevent.