A few hours ago CREAM Finance released a tweet warning their users NOT TO ENTER any seed phrases on their site as their DNS has been compromised.

A little over an hour later PancakeSwap released a tweet as well warning their users not to use their site as well. Stating that they suspect a similar attack like the one on CREAM, and they followed up with a confirmation a few minutes later.

What is DNS?

DNS is perhaps one of the most important pillars of the internet. It’s the system that maps domain names to their corresponding IP addresses amongst other things. Basically the internet’s address book. When you visit google.com two things are expected to happen:

1. You expect to see that search bar
2. Your computer expects the IP address of the servers that are hosting google.com so that it can show you said search bar

This is where DNS comes in, to mediate amongst you, your computer and google.com. You need to see google.com but you don’t know its IP address, your computer wants to give you google.com but it needs to know its IP address and finally, the servers at google.com are open to serving anyone the contents of google.com but they need to know to which IP address to send that nice search bar to. DNS is the universal translater that helps your computer find out which IP address it needs to contact to get a hold of google.com, after which it finally delivers the crisp google.com to your browser.

From google.com’s perspective. DNS has records that help computers find the information they need to communicate with google.com. Those records point any computer searching for google.com to the correct server(s) hosting and serving the contents of google.com. 

What is a DNS attack?

Simply put, It’s an attack that involves malicious actors manipulating the mapping process between domains and IP addresses. In the case of CREAM Finance and PancakeSwap. The attackers got a hold of the companies’ DNS infrastructure and changed the destination IP addresses of the cream.finance and pancakeswap.finance to the attackers’ IP addresses that are hosting phishing pages. So right now anyone who visits cream.finance and pancakeswap.finance is being routed to fake versions of the sites and are being solicited for seed phrases which should NEVER BE GIVEN TO ANYONE! 

How to protect your website from DNS hijacking?

If you have a website your DNS is most likely managed through your domain’s registrar. The best way to protect your DNS from attacks is to guard access to the registrar accounts. Follow your standard operational security practices - use strong unique passwords, 2FA, VPN, check haveibeenpwned.com etc. 

Take good care of your DNS records and settings. Make sure things like zone transfers from external IP addresses are disabled. Also, make sure you have DKIM, SPF, DMARC and DNSSEC set up and properly configured. Ultimately, having an action plan is useful in the event that something goes wrong, including how you will inform users of the attack.