Upgraded all four of my pihole instances to v6. They’re working perfectly!
I love how a bunch of the “advanced” settings are now available from the UI. It makes initial set up so much easier.
Recent searches
Search options
#dns
69 posts60 participants7 posts today
Our Quad9 documentation is now also available in #Romanian (https://docs.quad9.net/ro/) thanks to the help of our friend, Toma Minea (https://www.linkedin.com/in/toma-minea-86900582/).
PhaaS actor uses DoH and DNS MX to dynamically distribute phishing
Infoblox discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored, login pages, spoofing over 100 brands.
Pulse ID: 67eaf35a20355ae846b8269d
Pulse Link: https://otx.alienvault.com/pulse/67eaf35a20355ae846b8269d
Pulse Author: AlienVault
Created: 2025-03-31 19:56:09
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Catch @aeden on Rogue Startups & Code Story podcasts, check out our new video support guides to your top #DNS questions, & make sure to register for our webinar with HashiCorp on simplifying DNS management with #Terraform in 2 days! Details here 
https://blog.dnsimple.com/2025/03/spring-whats-new/
#dns #terraform
Access to domain registration data is neither timely nor uniform. In today's Interisle Insights post, Colin Strutt shares the challenges that law enforcement, first responders, and researchers face in collecting even the “non contact registration data” elements to identify where cybercriminals acquire resources for their attacks.
https://interisle.substack.com/p/limiting-access-to-domain-registration
This amazing, cursed, fun, terrifying, makes you sick if you've ever worked in #networking and incredibly entertaining all at the same time:
https://1.6.0.0.8.0.0.b.e.d.0.a.2.ip6.arpa/@domi/statuses/01JQHWXY605XVPGY5MAXV30K5X
1.6.0.0.8.0.0.b.e.d.0.a.2.ip6.arpaPost by domi (networking witch), @domi@1.6.0.0.8.0.0.b.e.d.0.a.2.ip6.arpaand now, for something completely different: Bad Apple playing through a Traceroute new blogpost: https://sdomi.pl/weblog/24-arpa-hacks/
Pulling the Threads on the Phish of Troy Hunt
A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.
Pulse ID: 67e848f9c64772d54fd7164b
Pulse Link: https://otx.alienvault.com/pulse/67e848f9c64772d54fd7164b
Pulse Author: AlienVault
Created: 2025-03-29 19:24:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Replied in thread
@DoctorBrodsky @woe2you @miah given #Quad9 bowed before the #Contentmafia and censored #DNS requests, I'll continue to recommend using #OpenNIC's Servers instead
94.103.153.176 & 2a02:990:219:1:ba:1337:cafe:3 as well as144.76.103.143 & 2a01:4f8:192:43a5::2
- If you only add a single #IPv4 address, no #IPv6 resolution will take place over said provider or worse even no IPv6 connectivity at all...
I merely retain quad9 on said list for archival purposes. I Yeeted #CloudFlare aka. #ClownFlare since they are a #RogueISP!
Un mouvement facho essaye de prendre le contrôle de l'équivalent de l'#AFNIC en Nouvelle-Zélande : https://www.feijoadispatch.nz/p/free-speech-union-plans-hostile-takeover
2600 personnes ont pris une adhésion récemment (alors qu'il n'y avait que 400 adhérents récemment), dans l'idée de prendre le contrôle de l'organisation, pour lutter contre un changement de statuts qui indiquerait une volonté de combattre le racisme entre autres…
Feijoa Dispatch · Free Speech Union plans hostile takeover of InternetNZ
Set #IPv6 #DNS records for my #cloud #kubernetes ingress seconds before this happened. Hooking stuff up to the publc internet is pretty wild
#Phishing-as-a-service operation uses DNS-over-HTTPS for evasion
BleepingComputer · Phishing-as-a-service operation uses DNS-over-HTTPS for evasion
Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.
Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.
One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.
Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.
Block these:
user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.
#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa
DNS MX Records used to create Fake Logins for 100+ Brands
Hackers has used DNS MX records to create phishing pages that mimic login pages of over 100 brands.
Pulse ID: 67e7f17048cfce198f615d3e
Pulse Link: https://otx.alienvault.com/pulse/67e7f17048cfce198f615d3e
Pulse Author: cryptocti
Created: 2025-03-29 13:11:12
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
How to prevent Payment Pointer fraud
https://shkspr.mobi/blog/2025/03/how-to-prevent-payment-pointer-fraud/
There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.
The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:
<link rel="monetization" href="https://wallet.example.com/edent" />That address is a "Payment Pointer". As a user browses the web, their browser takes note of all the sites they've visited. At the end of the month, the funds in the user's digital wallet are split proportionally between the sites which have enabled WebMonetization. The user's budget is under their control and there are various technical measures to stop websites hijacking funds.
This could be revolutionary0.
But there are some interesting fraud angles to consider. Let me give you a couple of examples.
Pointer Hijacking
Suppose I hacked into a popular site like BBC.co.uk and surreptitiously included my link in their HTML. Even if I was successful for just a few minutes, I could syphon off a significant amount of money.
At the moment, the WebMonetization plugin only looks at the page's HTML to find payment pointers. There's no way to say "This site doesn't use WebMonetization" or an out-of-band way to signal which Payment Pointer is correct. Obviously there are lots of ways to profit from hacking a website - but most of them are ostentatious or require the user to interact. This is subtle and silent.
How long would it take you to notice that a single meta element had snuck into some complex markup? When you discover it, what can you do? Money sent to that wallet can be transferred out in an instant. You might be able to get the wallet provider to freeze the funds or suspend the account, but that may not get you any money back.
Similarly, a Web Extension like Honey could re-write the page's source code to remove or change an existing payment pointer.
Possible Solutions
Perhaps the username associated with a Payment Pointer should be that of the website it uses? something like href="https://wallet.example.com/shkspr.mobi"
That's superficially attractive, but comes with issues. I might have several domains - do I want to create a pointer for each of them?
There's also a legitimate use-case for having my pointer on someone else's site. Suppose I write a guest article for someone - their website might contain:
<link rel="monetization" href="https://wallet.example.com/edent" /><link rel="monetization" href="https://wallet.coin_base.biz/BigSite" />Which would allow us to split the revenue.
Similarly, a site like GitHub might let me use my Payment Pointer when people are visiting my specific page.
So, perhaps site owners should add a .well-known directive which lists acceptable Pointers? Well, if I have the ability to add arbitrary HTML to a site, I might also be able to upload files. So it isn't particularly robust protection.
Alright, what are other ways typically used to prove the legitimacy of data? DNS maybe? As the popular meme goes:
@atax1a@infosec.exchange
mx alex tax1a - 2020 (5)
@jwz @grumpybozo just one more public key in a TXT record, that'll fix email, just gotta add one more TXT record bro
198
5
8520:49 - Sun 23 March 2025
Someone with the ability to publish on a website is less likely to have access to DNS records. So having (yet another) DNS record could provide some protection. But DNS is tricky to get right, annoying to update, and a pain to repeatedly configure if you're constantly adding and removing legitimate users.
Reputation Hijacking
Suppose the propaganda experts in The People's Republic of Blefuscu decide to launch a fake site for your favourite political cause. It contains all sorts of horrible lies about a political candidate and tarnishes the reputation of something you hold dear. The sneaky tricksters put in a Payment Pointer which is the same as the legitimate site.
"This must be an official site," people say. "Look! It even funnels money to the same wallet as the other official sites!"
There's no way to disclaim money sent to you. Perhaps a political opponent operates an illegal Bonsai Kitten farm - but puts your Payment Pointer on it.
"I don't squash kittens into jars!" You cry as they drag you away. The police are unconvinced "Then why are you profiting from it?"
Possible Solutions
A wallet provider needs to be able to list which sites are your sites.
You log in to your wallet provider and fill in a list of websites you want your Payment Pointer to work on. Add your blog, your recipe site, your homemade video forum etc. When a user browses a website, they see the Payment Pointer and ask it for a list of valid sites. If "BonsaiKitten.biz" isn't on there, no payment is sent.
Much like OAuth, there is an administrative hassle to this. You may need to regularly update the sites you use, and hope that your forgetfulness doesn't cost you in lost income.
Final Thoughts
I'm moderately excited about WebMonetization. If it lives up to its promises, it could unleash a new wave of sustainable creativity across the web. If it is easier to make micropayments or donations to sites you like, without being subject to the invasive tracking of adverts, that would be brilliant.
The problems I've identified above are (I hope) minor. Someone sending you money without your consent may be concerning, but there's not much of an economic incentive to enrich your foes.
Think I'm wrong? Reckon you've found another fraudulent avenue? Want to argue about whether this is a likely problem? Stick a comment in the box.
To be fair, Coil tried this in 2020 and it didn't take off. But the new standard has a lot less cryptocurrency bollocks, so maybe it'll work this time? ↩︎
Terence Eden’s Blog · How to prevent Payment Pointer fraud
More from 
Terence Eden
blog! “How to prevent Payment Pointer fraud”
There's a new Web Standard in town! Meet WebMonetization - it aims to be a low effort way to help users passively pay website owners.
The pitch is simple. A website owner places a single new line in their HTML's <head> - something like this:
<link rel="monetization"…
Read more: https://shkspr.mobi/blog/2025/03/how-to-prevent-payment-pointer-fraud/
⸻
#CyberSecurity #dns #HTML #standards #WebMonitization
Terence Eden’s Blog · How to prevent Payment Pointer fraud
More from Terence Eden
I just glanced at something called a "Nintendo DS emulator", and I've understood it.
They have no DNSKEY, you see, so they have to emulate the DS.
New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands – Source:hackread.com https://ciso2ciso.com/new-morphing-meerkat-phishing-kit-exploits-dns-to-spoof-100-brands-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #MorphingMeerkat #cybersecurity #Brandjacking #PhishingScam #CyberAttack #PhishingKit #Hackread #Phishing #security #DNS
CISO2CISO.COM & CYBER SECURITY GROUP · New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands – Source:hackread.comSource: hackread.com - Author: Deeba Ahmed. A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat
Our latest newsletter is out, get it while it's hot!
https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/
Key stories:
Oracle's under fire: A breach at Oracle Health compromised patient data, with Oracle allegedly shifting responsibility to hospitals and avoiding documentation. This follows hot on the heels of denial regarding an alleged Oracle Cloud breach, raising serious questions about their security culture.
Clop's back in the headlines: Sam's Club - a Walmart subsidiary - is investigating claims of a Clop ransomware attack, potentially linked to the Cleo file transfer vulnerability that has already hit other organizations hard.
Don't miss this bizarre twist: Cable operator WideOpenWest (WOW!) is dealing with a breach claimed by Arkana Group, who are publicizing the stolen data (usernames, passwords, etc.) with a… Russian music video. The alleged attack vector? Infostealer malware.
Get up to speed with these stories and more: https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/
If you'd like to get the latest Cyber Security news wrapped up and delivered to your inbox every day, subscribe to our newsletter here!
https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne-2/#/portal/signup
Opalsec · Daily News Update: Saturday, March 29, 2025 (Australia/Melbourne)A breach at Oracle Health compromised patient data, with Oracle allegedly shifting responsibility to hospitals and avoiding documentation. A Walmart subsidiary is investigating claims of a Clop ransomware attack, potentially linked to the Cleo file transfer vulnerability.
howdy, #hachyderm!
over the last week or so, we've been preparing to move hachy's #DNS zones from #AWS route 53 to bunny DNS.
since this could be a pretty scary thing -- going from one geo-DNS provider to another -- we want to make sure *before* we move that records are resolving in a reasonable way across the globe.
to help us to do this, we've started a small, lightweight tool that we can deploy to a provider like bunny's magic containers to quickly get DNS resolution info from multiple geographic regions quickly. we then write this data to a backend S3 bucket, at which point we can use a tool like #duckdb to analyze the results and find records we need to tweak to improve performance. all *before* we make the change.
then, after we've flipped the switch and while DNS is propagating -- 
-- we can watch in real-time as different servers begin flipping over to the new provider.
we named the tool hachyboop and it's available publicly --> https://github.com/hachyderm/hachyboop
please keep in mind that it's early in the booper's life, and there's a lot we can do, including cleaning up my hacky code. 
attached is an example of a quick run across 17 regions for a few minutes. the data is spread across multiple files but duckdb makes it quite easy for us to query everything like it's one table.
