Tag: Security

No comments

Good practices with DNS records

  By , , , , , ,

DNS security is important and there’s a lot of information available talking about how to secure your DNS infrastructure.There are fewer articles talking about how to protect your reputation and domains from abuse by deploying DNS records. As I generate a report talking about the deployment of DNS security records, it seems only fair to talk about those records and how they should be deployed. Which records you need and how they should be deployed depends on how you are using your domain and what other services you are running. One thing to keep in mind with these records is that their primary function is to make it harder for the bad guys to impersonate you; protecting your reputation and people you communicate with. The foundation of all of any DNS based security measure is to ensure that your DNS is secure, so pick a good registrar and DNS provider… Continue reading

No comments

The state of DNS security records 2020

  By , , , , , , , ,

Not quite the third year running, but a third edition at least. This years state of DNS security records survey has seen a few changes – so is a bit of a transition report. I’ve dropped all of my self generated lists, except for DoH providers, in favour of more robust lists. I’ve also got a new generation of my domain quality tool in the works. This report was produced using the new version of the tool as it produces more reliable results, captured more data and is a tad more efficient allowing me to increase my sample size. TLDR: Summary The adoption rates of security related records provisioned continues to stagnate, though I suspect the drops from 2017 may be artefacts of improved methodology and larger sample size. Comparing just to last year any gains made are marginal at best. Despite all the attention DNS security has got this… Continue reading

No comments

Mitigating against and observing DoH – a real world deployment

  By , , ,
DoH data flow

Whilst there has been a lot of discussion about the impact and usage of DNS-over-HTTPs there is so far very little data on how widely its usage has been adopted let alone what the traffic looks like. By adopting a layered approach using response policy zones and an internal DNS-over-HTTPS infrastructure it’s possible to start to get a clearer picture of DoH usage. Within a typical Enterprise environment, you would expect the use of external DNS servers to already be prohibited. The use of DNS-over-HTTPS is thus no different from any other tunnelling software that is used to circumvent such security controls. The simple approach to resolving this issue would be to just block DoH providers at the firewall as they were identified. However, maintaining such a list, as with any black list, will present some challenges and would be better managed by commercial providers. A more layered approach provides… Continue reading

No comments

DNS in applications a rebuttal

  By ,

There’s an awful lot going on in the world of DoH at the moment – so rather than writing one huge rambling post I’m going to try and cover everything in several shorter rambling posts. I’m going to start with taking a look at a presentation that Mozilla did regarding “DNS in applications”, which I have many issues with and I think highlights the fundamental disconnect between the Mozilla developers and people that actually have to deal with network and user security. A lot of this has been discussed extensively on the IETF “Applications doing DNS” discussion list. If you’re on that list I’m not going to be saying anything much new, but with that said let’s start looking at the presentation. Continue reading