Good practices with DNS records

DNS security is important and there’s a lot of information available talking about how to secure your DNS infrastructure.There are fewer articles talking about how to protect your reputation and domains from abuse by deploying DNS records. As I generate a report talking about the deployment of DNS security records, it seems only fair to talk about those records and how they should be deployed. Which records you need and how they should be deployed depends on how you are using your domain and what other services you are running. One thing to keep in mind with these records is that their primary function is to make it harder for the bad guys to impersonate you; protecting your reputation and people you communicate with. The foundation of all of any DNS based security measure is to ensure that your DNS is secure, so pick a good registrar and DNS provider… Continue reading

The state of DNS security records 2020

Not quite the third year running, but a third edition at least. This years state of DNS security records survey has seen a few changes – so is a bit of a transition report. I’ve dropped all of my self generated lists, except for DoH providers, in favour of more robust lists. I’ve also got a new generation of my domain quality tool in the works. This report was produced using the new version of the tool as it produces more reliable results, captured more data and is a tad more efficient allowing me to increase my sample size. TLDR: Summary The adoption rates of security related records provisioned continues to stagnate, though I suspect the drops from 2017 may be artefacts of improved methodology and larger sample size. Comparing just to last year any gains made are marginal at best. Despite all the attention DNS security has got this… Continue reading

The state of DNS security records 2019

Record type occurence

My recent search for DNS hosting, reminded me that it’s been a while since my first state of DNS report. I had meant to do it every year so this is a bit late, I should probably set myself a reminder. At this point lets just say I missed 2018 and this is the 2019 report and I’ll try to remember for 2020. TLDR: Summary The deployment of security records in DNS has got slightly worse. The average score (out of 10) based on deployment of CAA, DKIM, DMARC, DNSSEC and SPF was 2.48 in 2017 , the same records checked today averaged 2.15 with this years data set averaging 2.42. Two data sets where used this year, the 2017 lists and updated lists taken from the same sources. Usage of IPv6, SPF and DMARC have seen significant decreases across both sets of data, off set only slightly by the… Continue reading

SPF, DKIM & DMARC – A triple band aid

Following on from my previous article and because I’ve got to write this anyway I thought I’d take a look at the roles of SPF, DKIM and DMARC for people who don’t really need to know the technicalities. There are many articles out there that cover the technical workings of SPF, DKIM and DMARC and some looking at them all together. Hopefully I’m not going to cover the same ground as those too much. Hopefully though this will provide a reasonable over view of what these records are trying to achieve and how they work together. Firstly the problem all of these things are trying to solve is that e-mail is insecure and easily abused. This is in part because it was designed in an earlier more trusting time and in part because it is designed to allow anyone to reach out and contact anyone else. Much like telephones if… Continue reading