Listen to this Post

Introduction:
A year after a catastrophic cyber incident wiped billions from Marks & Spencer’s valuation, core TLS, DNS, and DNSSEC vulnerabilities remain unpatched—despite clear warnings to the UK’s National Cyber Security Centre (NCSC) and CrowdStrike. This systemic failure exposes every organisation to downgrade attacks, DNS spoofing, and interception of sensitive data, proving that even elite IR teams can neglect foundational security controls.
Learning Objectives:
- Identify and test critical DNS/DNSSEC misconfigurations using native Linux and Windows tools.
- Enforce HTTP Strict Transport Security (HSTS) and DNSSEC to prevent TLS bypass and domain hijacking.
- Audit organisational accountability gaps and implement continuous monitoring for DNS-layer threats.
You Should Know:
1. Understanding the DNS/DNSSEC Configuration Gap
DNS translates domain names to IP addresses, but without DNSSEC, responses can be forged. DNSSEC adds cryptographic signatures to verify authenticity. The post reveals that Marks & Spencer (M&S) and even the NCSC fail to enforce proper DNSSEC, leaving them vulnerable to cache poisoning and man-in-the-middle attacks.
Step‑by‑step guide to check DNSSEC validation:
- Linux: `dig +dnssec marksandspencer.com` – Look for `ad` (authenticated data) flag in the answer section. If missing, DNSSEC is not validated.
- Windows: `nslookup -type=NS marksandspencer.com` then use `resolver` – but better to install `dig` via WSL or use `Resolve-DnsName -Type ANY -DnssecOk $true` in PowerShell.
- Verify DNSKEY records: `dig DNSKEY marksandspencer.com +multiline`
– If no RRSIG records returned, the zone is unsigned.
2. HSTS Downgrade Attacks and TLS Bypass
HSTS forces browsers to connect only via HTTPS. When a domain lacks HSTS (as M&S still does, according to the post), attackers can strip HTTPS links to HTTP using tools like sslstrip. This exposes login cookies, payment data, and session tokens.
Step‑by‑step exploitation simulation (authorised lab only):
- Attacker on same Wi-Fi uses ARP spoofing: `arpspoof -i eth0 -t 192.168.1.10 192.168.1.1`
2. Run `sslstrip -l 8080` to downgrade HTTPS requests. - Redirect traffic with `iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080`
4. Victim visits `http://marksandspencer.com` (no HSTS), attacker captures plaintext credentials.
– Mitigation: Add `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` to web server config.
– Check HSTS: `curl -I https://marksandspencer.com | grep -i strict` – empty output means vulnerable.
- Testing Your Own Domain’s DNS Security (Commands for Auditors)
Use these commands to replicate the discovery that exposed M&S’s weaknesses.
Linux (dig, host, drill):
- Enumerate all DNS records: `dig ANY marksandspencer.com +noall +answer`
– Check for DNS zone transfer (rare but catastrophic): `dig axfr @ns1.marksandspencer.com marksandspencer.com`
– Test resolver DNSSEC validation: `delv marksandspencer.com A +dnssec` – if status is `NOERROR` but no `ad` flag, validation fails. - Use `dnssec-verify` (from bind9 tools) on a zone file: `dnssec-verify -o marksandspencer.com zone.file`
Windows PowerShell:
Resolve-DnsName -Name marksandspencer.com -Type A -DnssecOk Resolve-DnsName -Name marksandspencer.com -Type DNSKEY Install DNSSEC validation module Install-WindowsFeature -Name DNSServer Get-DnsServerZone -Name marksandspencer.com | Format-List ZoneName, IsDsIntegrated, IsDnssecEnabled
4. Enforcing DNSSEC and HSTS: Step‑by‑Step Hardening
Organisations like CrowdStrike secured their own TLD after warnings but left M&S exposed. Here’s how to avoid that hypocrisy.
DNSSEC signing for a domain (using BIND on Linux):
1. Generate keys: `dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE marksandspencer.com`
2. Sign the zone: `dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -d ‘ ‘ -f1) -N INCREMENT -o marksandspencer.com -t db.marksandspencer.com`
3. Add DS record to parent zone (submit to registrar).
4. Test with `dig +dnssec marksandspencer.com A` – ensure `ad` flag appears.
HSTS enforcement on Apache/Nginx:
- Apache: `Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”`
– Nginx: `add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;`
– Submit domain to hstspreload.org after testing.
5. CrowdStrike’s Double Standard and NCSC’s Failure
The post notes that CrowdStrike remediated its own TLD in 2023 but not M&S. This reveals a governance gap: security vendors prioritise self-preservation over client protection.
Step‑by‑step audit for third‑party risk:
- Request your MSSP’s own DNS security reports. Use `dig +short txt crowdstrike.com | grep spf` to check email security, but deeper: `dnsrecon -d crowdstrike.com -t axfr,dnssig`
– Enforce contractual clauses requiring DNSSEC and HSTS for all vendors. - Run continuous monitoring with `nmap –script dns-nsec3-enum –script-args dns-nsec3-enum.domains=target.com` to detect missing NSEC3 records.
6. Automated Monitoring for DNS Vulnerabilities
Manual checks fail at scale. Set up cron jobs or CI pipelines to alert on regressions.
Linux monitoring script (place in /etc/cron.d/dns-check):
!/bin/bash DOMAIN="marksandspencer.com" if ! dig +short +dnssec $DOMAIN | grep -q "RRSIG"; then echo "DNSSEC missing for $DOMAIN" | mail -s "DNS Alert" [email protected] fi if ! curl -sI https://$DOMAIN | grep -qi "Strict-Transport-Security"; then echo "HSTS missing" | mail -s "TLS Alert" [email protected] fi
Windows Task Scheduler + PowerShell:
$result = Resolve-DnsName -Name marksandspencer.com -Type A -DnssecOk
if (-not $result.DnssecStatus -eq 'Secure') { Send-MailMessage ... }
7. Incident Response and Recovery from DNS‑Based Attacks
If an attacker exploits missing DNSSEC/HSTS, use this IR playbook.
Containment:
- Flush local DNS cache: Linux `sudo systemd-resolve –flush-caches` ; Windows `ipconfig /flushdns`
– Override malicious records via hosts file: Linux `/etc/hosts` ; Windows `C:\Windows\System32\drivers\etc\hosts`
– Force HTTPS everywhere using browser extension (temporary) or enterprise GPO.
Eradication:
- Rotate all session tokens and API keys.
- Patch nameservers: `sudo apt update && sudo apt upgrade bind9` (Linux) or install Windows DNS Server security updates.
- Implement DNS over HTTPS (DoH) on clients: `sudo nano /etc/systemd/resolved.conf` → set
DNSOverTLS=yes.
Recovery: Deploy DNSSEC and HSTS as described in Section 4. Then verify with `testssl.sh –hsts https://marksandspencer.com`.
What Undercode Say:
- Systemic accountability failure – A year post‑incident, with elite IR firms involved, basic controls like HSTS remain absent. This proves that technical fixes without governance rot are useless.
- Vendors prioritise themselves – CrowdStrike fixed its own TLD while leaving M&S vulnerable. Organisations must mandate contractual DNS security levels for all third parties.
- Defenders must automate – Manual audits miss regressions. Continuous monitoring scripts (dig, curl, PowerShell) are free and should run daily against every external domain.
The post’s damning revelation—that the same weaknesses persist after billions in losses—shows that cybersecurity is not just a technical discipline but a management one. Until boards treat missing HSTS as a material risk, attackers will keep exploiting DNS 101.
Prediction:
Within 18 months, regulators (FCA, SEC) will mandate DNSSEC and HSTS preload for all publicly traded retailers. Failure to comply will trigger automatic breach liability. Meanwhile, DNS‑based supply chain attacks will spike, targeting organisations like M&S that ignored the warnings. The only survivors will be those who today run the commands above and enforce accountability from the C‑suite down.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


