Newbie Questions: How-to monitor/control unauthorized uses of our IPs and DNS zones?

Thu Aug 19 14:05:56 UTC 2021

Dear Gurus,

Background Information Part:
We rent an IP Address Block and a DNS zone.
[We have to pay the annual fees, so they are renting, yes? :-) ]

We run our own DNS authoritative server, with DNSsec on.

We register our IP block on both IRR and ROA, and monitor them both for
‘poisoning records’.

Authority over DNS records, ROAs, and BGP table are with us, but authority
over the Web Servers are (naturally) not.

Question Part:
1. How (or where) can I monitor/control such that no one can ‘map’ my IP
addresses to external FQDNs [hijacking my IPs] without me knowing about it?
1.1. My understanding is that, as long as I control the authoritative
(DNSsec)server and people out there validate the DNS responses, hijacking
my IPs outright for use somewhere else is (theoretically) impossible, yes?
[leaving out Route Hijacking for now]

2. But, web admins can still essentially ‘rent out’ part or whole of my
websites by hosting 'forreign' pages/codes and allowing in ‘external
redirection’ from outside (to use my hardware! my IPs!) anyway, yes?

3. How (or where) can I monitor/control such that no one can ‘map’ FQDNs
from within my DNS zone to external IP addresses [hijacking my hostnames]
without me knowing about it?
3.1. My understanding is that, web admins can write all sorts of ‘redirect’
in such a way that parts or even my whole websites can be ‘hosted’ on
external IPs/hardware, yes?

4. Does that mean I need a big Web Application Firewall (WAF) or something
worse to monitor/control those above scenarios?

The thing is, no one should be able to use organization resources [IPs,
FQDNs, and Web Services, for a start] for his/her own purpose without
asking permission.

Thanks in advance for any pointers,

-- 
Pirawat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210819/be617167/attachment.html>