Good practices with DNS records

DNS security is important and there’s a lot of information available talking about how to secure your DNS infrastructure.There are fewer articles talking about how to protect your reputation and domains from abuse by deploying DNS records. As I generate a report talking about the deployment of DNS security records, it seems only fair to talk about those records and how they should be deployed. Which records you need and how they should be deployed depends on how you are using your domain and what other services you are running. One thing to keep in mind with these records is that their primary function is to make it harder for the bad guys to impersonate you; protecting your reputation and people you communicate with. The foundation of all of any DNS based security measure is to ensure that your DNS is secure, so pick a good registrar and DNS provider… Continue reading

IPv6 with Zen internet and Ubiquiti

Having recently moved over to a Ubiquiti UDM for my home router I wanted to get my IPv6 connection back and working. Searching for advice on how to do this there were quite a few articles describing the trials and tribulations involved in getting things working. It turns out that with the latest firmware release getting IPv6 working is really very easy. Unfortunately nothing in the management UI actually lets you know it’s working. So even if you have it configured correctly you’ll only be able to tell by checking if you can reach things via IPv6. So to help anyone else who was in my position here are the really very simple instructions for configuring IPv6 on a UDM running firmware 1.8.3 with Zen Internet. Continue reading

Mitigating against and observing DoH – a real world deployment

DoH data flow

Whilst there has been a lot of discussion about the impact and usage of DNS-over-HTTPs there is so far very little data on how widely its usage has been adopted let alone what the traffic looks like. By adopting a layered approach using response policy zones and an internal DNS-over-HTTPS infrastructure it’s possible to start to get a clearer picture of DoH usage. Within a typical Enterprise environment, you would expect the use of external DNS servers to already be prohibited. The use of DNS-over-HTTPS is thus no different from any other tunnelling software that is used to circumvent such security controls. The simple approach to resolving this issue would be to just block DoH providers at the firewall as they were identified. However, maintaining such a list, as with any black list, will present some challenges and would be better managed by commercial providers. A more layered approach provides… Continue reading

Defence against the DoH! Arts

I’m afraid it’s another post about DNS-over-HTTPS, but there’s a lot going on. Whilst the current crop of DoH servers don’t suffer from the same problems as normal open DNS resolvers, they do have issues of their own. Whilst fans of DoH are right when they that nothing stopped applications from doing their own DNS before and that the bad guys have always tunnelled data over other protocols. It is also true that DoH has massively lowered the bar for them both in terms of readily available libraries and in the provision of vast, highly resilient, free, tunnelling infrastructure provisioned by reputable companies. However I don’t want to get back into that again, instead lets review the latest happenings in the world of Doh. In the last month we’ve had : a DoH controlled spam campaign, the first malware to leverage DoH and Mozilla nominated for Internet villain of the… Continue reading