What you'll learn

You will learn DNS protocol architecture.
You willl understand DNS security mechanisms such as DNSSEC, RPZ, ACL, Chroot, etc.
You wlll dive into DNS Security Extensions, or DNSSEC.
You will explore DNS Attacks such as DDoS, DNS amplification, cache poisoning, website defacing, etc.
You will see the best practices for configuring and securing DNS.
You'll be configuring BIND DNS as a resolver server and as an authoritative server with a focus on security.

Course content

3 sections • 26 lectures • 1h 32m total length

Course Overview1:30
DNS History3:08
Trace the history of the domain name system from hosts.txt and ip addresses to its birth, and explain the root to gTLD and ccTLD hierarchy managed by IANA and ICANN.
DNS Architecture4:35
DNS Zone File4:12
Explore how a zone file on the authoritative server stores domain DNS records, TTL, and the serial with refresh settings, and review A, CNAME, MX, NS, TXT, PTR, and AAA.
Bind zone file
DNS Reverse Zone1:51
Configure a reverse zone for the 190.168.1.0/24 block using the 1.168.192.in-addr.arpa file and a ptr record that maps the IP address to mail.acme.org.
Whois4:14
Explore how whois queries reveal registered domains, registries, and registrars, showing domain statuses via EPP, such as clientUpdateProhibited and clientTransferProhibited, with examples like reddit.com.
DNS Packet - Part 13:50
Demonstrate how DNS packets are built and transported over UDP, detailing the header, question, answer, and additional sections, with the transaction ID and flags.
DNS Packet - Part 21:12
Understand how a recursive server validates a DNS response from the authoritative server by matching the source port, destination port, destination IP, and transaction ID, demonstrated with a Wireshark snippet.
The DNS Packet

DNS Security Considerations3:28
Secure DNS management by using a generic admin contact, enforcing secure channels and MFA with the registrar, and avoiding open recursive servers.
DNS Security Considerations 22:47
Run BIND in a chroot jail, isolate the DNS service and restrict transfers with ACLs. Consider DNSSEC and split-horizon DNS with public acme.org and private acme.local, and disable local cache.
DNS Configuration Errors to Avoid2:18
Tracking Down Bad Domains4:46
Track bad domains by monitoring typosquatting and using threat intel, WHOIS, and reverse WHOIS to identify registrants, then block suspicious domains including DGA patterns and apply RPZ policies.
Securing DNS: RPZs3:34
Explore response policy zones (RPZs) as a DNS firewall on a recursive server. See how RPZs block bad domains and return NXDOMAIN, NO DATA, NO-OP, or Local Data.
DNS Fingerprinting4:00
Identify DNS server versions and technologies behind domains using dig and version.bind. Explore reverse DNS, PTR records, passive DNS history, and threat intelligence with tools like fpdns and Virustotal.
Common DNS Attacks3:36
DNS Cache Poisoning3:48
Cache Poisoning with Subdomains2:52
DNS-based Denial of Service (DoS)3:02
Explore DNS based denial of service, why UDP without handshakes enables DDoS, and how attackers impact providers; learn about three tools HPing3, LOIC, and netstress to test DNS resilience.
DNS Amplification2:56
Activity: Configuring A Recursive Server5:37
Configure Bind 9 recursive cache-only name server on Ubuntu, securing it with ACL and firewall, hiding its version, listening only on the internal 192.168.10.0/24 interface, and validate with dig.
Activity: Configuring An Authoritative Server8:07
Configure an authoritative dns server by defining the example.com master zone in named.conf.default-zones, creating db.example.com, and updating soa parameters; verify with named-checkconf and restart bind9.
BIND DNS Security4:30
DNSSEC Part 15:01
Learn how dnssec authenticates dns responses by signing rrsets with a zone signing key, producing an rrsig, and verifying it with dnskey and trusted authorities using dig.
DNSSEC Part 23:44
Verify the zone signing key with the key signing key, RRSet, and RRSIG. Update DS records via the registrar when KSK changes to maintain the root-level trust chain.

Requirements

Basic networking concepts

Description

Welcome to the "Comprehensive DNS Security and DNSSEC" course.

In this course, you will learn how the Domain Name System came to be, how it has evolved, how it works and how to make it secure. You will explore DNS functions, history, structure, architecture, and security.

You will learn the difference between an authoritative DNS server and a recursive DNS server.
You will understand what is a zone file and what is a reverse zone file.
You will see the most common attacks against DNS systems and how to secure your infrastructure.
You will understand BIND DNS configuration as a recursive server as well as as an authoritative server.

We will cover the techniques used to target DNS systems as well as those that take advantage of the DNS system to carry out a malicious activity. Examples include:

Fingerprinting the DNS
Distributed Denial-of-Service (DDoS) against DNS.
DNS Spoofing
DNS Amplification attacks
Cache poisoning
Domain hijacking
DNS Tunneling

You will learn to use different command line tools and utilities, such as whois, dig, hping3, fpdns, etc.

You will learn to read the DNS packet information, such as the header, the answer section, and the "additional information" section.

You will be able to understand filtering of incoming requests using Response Policy Zones, and how to track down malicious domains.

You will discover DNSSEC, the framework that is being adopted to sign and secure DNS communications. TSIG is also covered in this course.

This course will be kept updated with relevant material when the students ask for it. So, don't hesitate to leave a message. Feel free to suggest topics you’d like to understand more.

Who this course is for:

Information Security Professionals
Network Engineers
IT Architects
Security Managers
Infrastructure Engineers

What you'll learn

Explore related topics

Course content

DNS Protocol Overview8 lectures • 25min

Fundamental DNS Security16 lectures • 1hr 4min

Bonus Videos and Thanks2 lectures • 4min

Requirements

Description

Who this course is for: