Dataplane.org28m ago

The Internet Last Week

* ICANN 85
https://meetings.icann.org/en/meetings/icann85/
* DNS rd signals spike
https://dataplane.org/statistics/dnsrd.html
https://dataplane.org/statistics/dnsrdany.html
* .uk TLD IPv6 TCP service degradation
https://dnsmon.ripe.net/uk?start=2026-03-08T00:00:00.000Z&end=2026-03-14T23:59:00.000Z&zone=uk.&protocol=tcp&ipVersion=6
* Russia censorship test Internet shutdown
https://apnews.com/article/russia-internet-outage-cellphone-app-disruptions-1792cfb177c26682efdb8046e0f9b063
https://www.wsj.com/world/russia/russia-shuts-off-internet-in-moscow-as-it-tests-nationwide-censorship-system-3b44c0af?st=HNUJ1k
* Law Enforcement disrupts SocksEscort network
https://www.europol.europa.eu/media-press/newsroom/news/europol-and-international-partners-disrupt-socksescort-proxy-service
https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded

#ICANN85 #DNS #UK #Russia #Proxies #Outages

ICANN85 Mumbai Community Forum | ICANN Public Meetings

Stay Informed and Engaged with the ICANN85 Community Forum in Mumbai – Learn about how to attend and register at the Official ICANN Meetings Site.

Infoblox Threat Intel1h ago

📱Smishing Slows, Quishing Quickens 🎣

Sick of smishing and those pesky parking/toll texts? Don’t get caught by crafty, counterfeit court QR codes — it’s a scan-and-scam! 💳 🚨

North American cell phone users are being hit with yet another wave of smishing campaigns that now include quishing elements. Likely orchestrated by Chinese-speaking threat actors, this latest campaign builds on previous vehicular violations, evolving tactics while impersonating US courts. 🧑‍⚖️

We’ve recently seen a flurry of SMS messages pushing parking violations — but with a twist: face justice in court… or scan and pay instead!

Delivered as an official-looking image, the actor has begun integrating QR codes into these lures to help mask suspicious phishing URLs, baiting victims into entering personal information, credentials, and ultimately making payments.

For some, this lure may sound better than facing justice for their perceived poor parking. Victims who don't comply are warned that failure to appear or pay could have serious repercussions - a scare tactic designed to push you toward a hasty decision and scanning the QR code! 🫣

We uncovered thousands of these nefarious domains, through their use of Registered Domain Generation Algorithms (RDGAs) and local government impersonation, hosted across a diverse range of hosting providers to evade takedown.

Recent examples:
⛔ ahfgx[.]icu
⛔ euoyq[.]icu
⛔ htpze[.]icu
⛔ mwlaj[.]icu

Friendly reminder - courts don't usually communicate with you via text. That said, we suspect this actor will continue to evolve, expanding their global reach and diversifying lures while improving tradecraft used in smishing and quishing delivery. As for us, we'll take our chances on evading that bench warrant and running from the law. 🏃‍♂️‍➡️

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #phishing #smishing #quishing

OTX Bot1h ago

China-nexus Threat Actor Targets Persian Gulf Region With PlugX

A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.

Pulse ID: 69b7dacde783e4b5dec19bde
Pulse Link: https://otx.alienvault.com/pulse/69b7dacde783e4b5dec19bde
Pulse Author: AlienVault
Created: 2026-03-16 10:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Arabic #BackDoor #China #CyberSecurity #DNS #HTTP #HTTPS #ICS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #PlugX #Windows #ZIP #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Sock Puppet 6662h ago

https://knockdns.com/

#dns
#dynamicdns
#knockdns

strange little minimal dynamic DNS system I stumbled upon.

KNOCKDNS - NO KNOCK EDITION

Show threadپویان Pouyan 5h ago

@bortzmeyer these guys are going a long way to put a positive spin on censorship:

Not only have renowned DNS service providers adopted this defense, but some countries have also launched national-scale deployments.

At least they’re honest when it comes to breaking DNSSEC:

Protective DNS rewrites data in the DNS responses and breaks their data integrity by design.

#dns #censorship #surveillance #DNSSEC

Show threadsahilister7h ago

In zone response for NS record points to Akamai:
```
$ dig +short ns sbi.bank.in
a5-66.akam.net.
a3-66.akam.net.
a1-148.akam.net.
a16-64.akam.net.
a20-64.akam.net.
a22-65.akam.net.
```
Which seem OK. Name resolution seems to be working still. Maybe I'm missing something.

#DNS #SBI

2/2

sahilister7h ago

Authoritative name servers for sbi.bank.in in parent zone are:
```
sbi.bank.in. 900 IN NS a1-148.sbi.bank.in.
sbi.bank.in. 900 IN NS a16-64.sbi.bank.in.
sbi.bank.in. 900 IN NS a20-64.sbi.bank.in.
sbi.bank.in. 900 IN NS a22-65.sbi.bank.in.
```
None of which resolves.

1/n

#DNS #SBI

Stéphane Bortzmeyer8h ago

https://datatracker.ietf.org/doc/draft-liu-dnsop-protective-dns/ : "Protective" #DNS resolvers (also called lying resolvers or, more politically correct, "policy-aware resolvers") Everybody disagrees and wants to kill the draft.

#IETF125

Considerations for Protective DNS Server Operators

Protective DNS is a defense mechanism deployed on recursive resolvers to prevent users from accessing malicious domains. For domain names in the blocklist, it rewrites DNS resolution responses to point to secure destinations (e.g., safe servers) to prevent users from accessing malicious entities. Owing to its effective defenses against common cyber attack behaviors—such as command-and-control (C2) communications of malware—Protective DNS deployment has surged via various initiatives. Not only have renowned DNS service providers adopted this defense, but some countries have also launched national-scale deployments. Meanwhile, studies analyzing Protective DNS have identified implementation diversity. Thus, this document aims to provide specific operational and security considerations for Protective DNS. It is intended primarily for entities seeking to deploy Protective DNS for defensive purposes, offering deployment and security considerations.

IETF Datatracker
Show threadStéphane Bortzmeyer9h ago

dnsop working group at #IETF125, for all those who love #DNS .

(In another room at Shenzhen, the RFC editor is busy publishing new RFCs.)

Stéphane Bortzmeyer11h ago

Good morning, Shenzhen! This is the third day of #IETF125 https://www.ietf.org/meeting/125/ We are preparing the future Internet technical standards.

Today, for me, dnsop (#DNS stuff), aipref (preferences for AI crawlers) and rpp (domain registration protocol).

IETF 125 Shenzhen

Information about the IETF 125 Shenzhen meeting on 14-20 March 2026.

IETF