DNS Security

So many interviewers ask about DNS and SSL. I read this book having my previous sole resource of DNS knowledge be interviews. I was amazed at how much I didn't know like how anycast is used with the DNS root servers. My favorite chapter was the one that included passive DNS, the whole book was a quick and easy read.Negatives: None really, The authors said a few things about exploits like "try the exploit after you patch" that seemed like they had less expertise in that area.

This book is so full of grammar errors that I couldn't even continue reading it. Syngress should have put forth even a mild effort to proofread the text before publishing it. I am sure it has great and useful technical information, but the presentation of it was pathetic.

This book is AWESOME!

That you are reading this review, and my ability to post it are due in large part due to the Domain Name System (DNS). DNS is Wikipedia describes it is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for the purpose of locating and identifying computer services and devices with the underlying network protocols. Quite simply, DNS enable you to use google.com and other intuitive and easy to remember sites, as opposed to an inconsistent set of numbers like 172.217.5.14.In DNS Security: Defending the Domain Name System authors Allan Liska and Geoffrey Stowe write that since DNS works so seamlessly, people often forget how critical it is. And more dangerously, those responsible for its operation often ignore the many DNS security risks in that they never thought to fully secure it when initially deployed. The underlying simplicity of DNS actually makes it a prime target for attackers.The authors note that while DNS is a core Internet component, it’s something that most administrators set and forget. In fact, when the time comes for security configuration changes, there may not even be anyone in the organization who knows how to implement those changes.For anyone tasked with anything related to DNS, this is an important book. It covers DNS for both Windows and Linux; including how to correctly implement DNS security.Often forgotten topics such as DNS firewalls, response policy zones and more are discussed. The authors also have a section detailing DNS outsourcing. For organizations that lack an internal DNS expert (and that is pretty much most organizations) outsourcing some or all DNS tasks and services can make both good business and security sense.Outsourcing may be especially valuable for those firms who’ve found their domain names have expired due to non-renewal in the past. This is a trivial, but often overlooked administrative task. If a domain expires, a firm may find themselves having to quickly reconfigure DNS, and often pay significantly to get their original domain names back.The authors do a great job detailing how to log and monitor DNS traffic. An interesting and powerful method they show on how to identify bad domains, particularly those used for spamming and malware, is to flag newly registered domains. The authors quote research that shows that new domains are often used for malicious purposes. When the identification of new domains is combined with data about the generic top-level domains (gTLD) and country code top-level domain (ccTLD), all of this data can be used as a powerful security mechanism. By entering that data into a SIEM, a firm can use that and other information to better protect themselves from DNS-based attacks.The book closes with an overview of Domain Name System Security Extensions (DNSSEC), which is a set of tools and protocols meant to secure DNS. DNSSEC can fix many of the insecurities the book describes in the previous 140 pages, as it attempts to fix the Achilles' heel of DNS in that it was designed to be a scalable distributed system, without much of a notion to strong security.With all the benefits DNSSEC affords, it’s underlying complexity and lack of global deployment means that DNS is currently, and for the not too distant future, will remain an incomplete and insecure set of protocols and services.For any organization that takes network security seriously, DNS Security: Defending the Domain Name System is an important reference that should be required reading for any DNS administrator. The authors do a great job of showing how a little time and effort into DNS security can provide immediate and significant security benefits.

Geoff and Allan have done an incredible job making DNS Security come to life. The prose flows forth like poetry that dances playfully upon my aroused senses. The first chapter, especially, was as brilliant a treatise as I have ever read. It would seem hyperbolic to compare this to James Joyce's "Ulyses", but I honestly feel like no other comparison is as appropriate. Do yourself a favor and buy this book. You'll thank me.

Very good book. I think it's only downfall is that it focuses on eliminating DNS risk rather than managing DNS risk. Security is always a risk trade-off of one kind or another.

Only got as far as page 19 so far and have already come across quite a few spelling and grammar mistakes, for example on page 18 they say "the DNS transport protocol is UD", when they mean 'UDP' and on the following page they have 'SLA' when they mean 'SOA' a the DNS record type.