Description

Book Synopsis
An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies DNS Security Management offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS).

Table of Contents

Preface xiii

Acknowledgments xvii

1 INTRODUCTION 1

Why Attack DNS? 1

Network Disruption 2

DNS as a Backdoor 2

DNS Basic Operation 3

Basic DNS Data Sources and Flows 4

DNS Trust Model 5

DNS Administrator Scope 6

Security Context and Overview 7

Cybersecurity Framework Overview 7

Framework Implementation 9

What’s Next 15

2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17

DNS Overview – Domains and Resolution 17

Domain Hierarchy 18

Name Resolution 18

Zones and Domains 23

Dissemination of Zone Information 25

Additional Zones 26

Resolver Configuration 27

Summary 29

3 DNS PROTOCOL AND MESSAGES 31

DNS Message Format 31

Encoding of Domain Names 31

Name Compression 32

Internationalized Domain Names 34

DNS Message Format 35

DNS Update Messages 43

The DNS Resolution Process Revisited 48

DNS Resolution Privacy Extension 55

Summary 56

4 DNS VULNERABILITIES 57

Introduction 57

DNS Data Security 57

DNS Information Trust Model 59

DNS Information Sources 60

DNS Risks 61

DNS Infrastructure Risks and Attacks 62

DNS Service Availability 62

Hardware/OS Attacks 63

DNS Service Denial 63

Pseudorandom Subdomain Attacks 67

Cache Poisoning Style Attacks 67

Authoritative Poisoning 71

Resolver Redirection Attacks 73

Broader Attacks that Leverage DNS 74

Network Reconnaissance 75

DNS Rebinding Attack 77

Reflector Style Attacks 78

Data Exfiltration 79

Advanced Persistent Threats 81

Summary 83

5 DNS TRUST SECTORS 85

Introduction 85

Cybersecurity Framework Items 87

Identify 87

Protect 87

Detect 88

DNS Trust Sectors 88

External DNS Trust Sector 91

Basic Server Configuration 93

DNS Hosting of External Zones 97

External DNS Diversity 97

Extranet DNS Trust Sector 98

Recursive DNS Trust Sector 99

Tiered Caching Servers 100

Basic Server Configuration 101

Internal Authoritative DNS Servers 103

Basic Server Configuration 105

Additional DNS Deployment Variants 108

Internal Delegation DNS Master/Slave Servers 109

Multi-Tiered Authoritative Configurations 109

Hybrid Authoritative/Caching DNS Servers 111

Stealth Slave DNS Servers 111

Internal Root Servers 111

Deploying DNS Servers with Anycast Addresses 113

Other Deployment Considerations 118

High Availability 118

Multiple Vendors 118

Sizing and Scalability 118

Load Balancers 119

Lab Deployment 119

Putting It All Together 119

6 SECURITY FOUNDATION 121

Introduction 121

Hardware/Asset Related Framework Items 122

Identify: Asset Management 122

Identify: Business Environment 123

Identify: Risk Assessment 124

Protect: Access Control 126

Protect: Data Security 127

Protect: Information Protection 129

Protect: Maintenance 130

Detect: Anomalies and Events 131

Detect: Security Continuous Monitoring 131

Respond: Analysis 132

Respond: Mitigation 132

Recover: Recovery Planning 133

Recover: Improvements 133

DNS Server Hardware Controls 134

DNS Server Hardening 134

Additional DNS Server Controls 136

Summary 137

7 SERVICE DENIAL ATTACKS 139

Introduction 139

Denial of Service Attacks 139

Pseudorandom Subdomain Attacks 141

Reflector Style Attacks 143

Detecting Service Denial Attacks 144

Denial of Service Protection 145

DoS/DDoS Mitigation 145

Bogus Queries Mitigation 147

PRSD Attack Mitigation 148

Reflector Mitigation 148

Summary 151

8 CACHE POISONING DEFENSES 153

Introduction 153

Attack Forms 154

Packet Interception or Spoofing 154

ID Guessing or Query Prediction 155

Name Chaining 155

The Kaminsky DNS Vulnerability 156

Cache Poisoning Detection 159

Cache Poisoning Defense Mechanisms 160

UDP Port Randomization 160

Query Name Case Randomization 161

DNS Security Extensions 161

Last Mile Protection 167

9 SECURING AUTHORITATIVE DNS DATA 169

Introduction 169

Attack Forms 170

Resolution Data at Rest 170

Domain Registries 170

DNS Hosting Providers 171

DNS Data in Motion 172

Attack Detection 172

Authoritative Data 172

Domain Registry 173

Domain Hosting 173

Falsified Resolution 173

Defense Mechanisms 174

Defending DNS Data at Rest 174

Defending Resolution Data in Motion with DNSSEC 176

Summary 186

10 ATTACKER EXPLOITATION OF DNS 187

Introduction 187

Network Reconnaissance 187

Data Exfiltration 188

Detecting Nefarious use of DNS 189

Detecting Network Reconnaissance 189

DNS Tunneling Detection 190

Mitigation of Illicit DNS Use 193

Network Reconnaissance Mitigation 193

Mitigation of DNS Tunneling 193

11 MALWARE AND APTS 195

Introduction 195

Malware Proliferation Techniques 196

Phishing 196

Spear Phishing 196

Downloads 196

File Sharing 197

Email Attachments 197

Watering Hole Attack 197

Replication 197

Implantation 197

Malware Examples 198

Malware Use of DNS 198

DNS Fluxing 198

Dynamic Domain Generation 202

Detecting Malware 202

Detecting Malware Using DNS Data 203

Mitigating Malware Using DNS 206

Malware Extrication 206

DNS Firewall 207

Summary 210

12 DNS SECURITY STRATEGY 213

Major DNS Threats and Mitigation Approaches 214

Common Controls 214

Disaster Defense 214

Defenses Against Human Error 220

DNS Role-Specific Defenses 220

Stub Resolvers 220

Forwarder DNS Servers 221

Recursive Servers 221

Authoritative Servers 222

Broader Security Strategy 222

Identify Function 223

Protect Function 224

Detect Function 225

Respond Function 226

Recover Function 227

13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229

Safer Web Browsing 230

DNS-Based Authentication of Named Entities (DANE) 230

Email Security 232

Email and DNS 233

DNS Block Listing 237

Sender Policy Framework (SPF) 238

Domain Keys Identified Mail (DKIM) 242

Domain-Based Message Authentication, Reporting, and

Conformance (DMARC) 245

Securing Automated Information Exchanges 246

Dynamic DNS Update Uniqueness Validation 246

Storing Security-Related Information 247

Other Security Oriented DNS Resource Record Types 247

Summary 251

14 DNS SECURITY EVOLUTION 253

Appendix A: Cybersecurity Framework Core DNS Example 257

Appendix B: DNS Resource Record Types 285

Bibliography 291

Index 299

DNS Security Management

Product form

£81.86

Includes FREE delivery

RRP £90.95 – you save £9.09 (9%)

Order before 4pm tomorrow for delivery by Wed 21 Jan 2026.

A Hardback by Michael Dooley, Timothy Rooney

Out of stock


    View other formats and editions of DNS Security Management by Michael Dooley

    Publisher: John Wiley & Sons Inc
    Publication Date: 03/10/2017
    ISBN13: 9781119328278, 978-1119328278
    ISBN10: 1119328276
    Also in:
    Computer networking and communications Computer security

    Description

    Book Synopsis
    An advanced Domain Name System (DNS) security resource that explores the operation of DNS, its vulnerabilities, basic security approaches, and mitigation strategies DNS Security Management offers an overall role-based security approach and discusses the various threats to the Domain Name Systems (DNS).

    Table of Contents

    Preface xiii

    Acknowledgments xvii

    1 INTRODUCTION 1

    Why Attack DNS? 1

    Network Disruption 2

    DNS as a Backdoor 2

    DNS Basic Operation 3

    Basic DNS Data Sources and Flows 4

    DNS Trust Model 5

    DNS Administrator Scope 6

    Security Context and Overview 7

    Cybersecurity Framework Overview 7

    Framework Implementation 9

    What’s Next 15

    2 INTRODUCTION TO THE DOMAIN NAME SYSTEM (DNS) 17

    DNS Overview – Domains and Resolution 17

    Domain Hierarchy 18

    Name Resolution 18

    Zones and Domains 23

    Dissemination of Zone Information 25

    Additional Zones 26

    Resolver Configuration 27

    Summary 29

    3 DNS PROTOCOL AND MESSAGES 31

    DNS Message Format 31

    Encoding of Domain Names 31

    Name Compression 32

    Internationalized Domain Names 34

    DNS Message Format 35

    DNS Update Messages 43

    The DNS Resolution Process Revisited 48

    DNS Resolution Privacy Extension 55

    Summary 56

    4 DNS VULNERABILITIES 57

    Introduction 57

    DNS Data Security 57

    DNS Information Trust Model 59

    DNS Information Sources 60

    DNS Risks 61

    DNS Infrastructure Risks and Attacks 62

    DNS Service Availability 62

    Hardware/OS Attacks 63

    DNS Service Denial 63

    Pseudorandom Subdomain Attacks 67

    Cache Poisoning Style Attacks 67

    Authoritative Poisoning 71

    Resolver Redirection Attacks 73

    Broader Attacks that Leverage DNS 74

    Network Reconnaissance 75

    DNS Rebinding Attack 77

    Reflector Style Attacks 78

    Data Exfiltration 79

    Advanced Persistent Threats 81

    Summary 83

    5 DNS TRUST SECTORS 85

    Introduction 85

    Cybersecurity Framework Items 87

    Identify 87

    Protect 87

    Detect 88

    DNS Trust Sectors 88

    External DNS Trust Sector 91

    Basic Server Configuration 93

    DNS Hosting of External Zones 97

    External DNS Diversity 97

    Extranet DNS Trust Sector 98

    Recursive DNS Trust Sector 99

    Tiered Caching Servers 100

    Basic Server Configuration 101

    Internal Authoritative DNS Servers 103

    Basic Server Configuration 105

    Additional DNS Deployment Variants 108

    Internal Delegation DNS Master/Slave Servers 109

    Multi-Tiered Authoritative Configurations 109

    Hybrid Authoritative/Caching DNS Servers 111

    Stealth Slave DNS Servers 111

    Internal Root Servers 111

    Deploying DNS Servers with Anycast Addresses 113

    Other Deployment Considerations 118

    High Availability 118

    Multiple Vendors 118

    Sizing and Scalability 118

    Load Balancers 119

    Lab Deployment 119

    Putting It All Together 119

    6 SECURITY FOUNDATION 121

    Introduction 121

    Hardware/Asset Related Framework Items 122

    Identify: Asset Management 122

    Identify: Business Environment 123

    Identify: Risk Assessment 124

    Protect: Access Control 126

    Protect: Data Security 127

    Protect: Information Protection 129

    Protect: Maintenance 130

    Detect: Anomalies and Events 131

    Detect: Security Continuous Monitoring 131

    Respond: Analysis 132

    Respond: Mitigation 132

    Recover: Recovery Planning 133

    Recover: Improvements 133

    DNS Server Hardware Controls 134

    DNS Server Hardening 134

    Additional DNS Server Controls 136

    Summary 137

    7 SERVICE DENIAL ATTACKS 139

    Introduction 139

    Denial of Service Attacks 139

    Pseudorandom Subdomain Attacks 141

    Reflector Style Attacks 143

    Detecting Service Denial Attacks 144

    Denial of Service Protection 145

    DoS/DDoS Mitigation 145

    Bogus Queries Mitigation 147

    PRSD Attack Mitigation 148

    Reflector Mitigation 148

    Summary 151

    8 CACHE POISONING DEFENSES 153

    Introduction 153

    Attack Forms 154

    Packet Interception or Spoofing 154

    ID Guessing or Query Prediction 155

    Name Chaining 155

    The Kaminsky DNS Vulnerability 156

    Cache Poisoning Detection 159

    Cache Poisoning Defense Mechanisms 160

    UDP Port Randomization 160

    Query Name Case Randomization 161

    DNS Security Extensions 161

    Last Mile Protection 167

    9 SECURING AUTHORITATIVE DNS DATA 169

    Introduction 169

    Attack Forms 170

    Resolution Data at Rest 170

    Domain Registries 170

    DNS Hosting Providers 171

    DNS Data in Motion 172

    Attack Detection 172

    Authoritative Data 172

    Domain Registry 173

    Domain Hosting 173

    Falsified Resolution 173

    Defense Mechanisms 174

    Defending DNS Data at Rest 174

    Defending Resolution Data in Motion with DNSSEC 176

    Summary 186

    10 ATTACKER EXPLOITATION OF DNS 187

    Introduction 187

    Network Reconnaissance 187

    Data Exfiltration 188

    Detecting Nefarious use of DNS 189

    Detecting Network Reconnaissance 189

    DNS Tunneling Detection 190

    Mitigation of Illicit DNS Use 193

    Network Reconnaissance Mitigation 193

    Mitigation of DNS Tunneling 193

    11 MALWARE AND APTS 195

    Introduction 195

    Malware Proliferation Techniques 196

    Phishing 196

    Spear Phishing 196

    Downloads 196

    File Sharing 197

    Email Attachments 197

    Watering Hole Attack 197

    Replication 197

    Implantation 197

    Malware Examples 198

    Malware Use of DNS 198

    DNS Fluxing 198

    Dynamic Domain Generation 202

    Detecting Malware 202

    Detecting Malware Using DNS Data 203

    Mitigating Malware Using DNS 206

    Malware Extrication 206

    DNS Firewall 207

    Summary 210

    12 DNS SECURITY STRATEGY 213

    Major DNS Threats and Mitigation Approaches 214

    Common Controls 214

    Disaster Defense 214

    Defenses Against Human Error 220

    DNS Role-Specific Defenses 220

    Stub Resolvers 220

    Forwarder DNS Servers 221

    Recursive Servers 221

    Authoritative Servers 222

    Broader Security Strategy 222

    Identify Function 223

    Protect Function 224

    Detect Function 225

    Respond Function 226

    Recover Function 227

    13 DNS APPLICATIONS TO IMPROVE NETWORK SECURITY 229

    Safer Web Browsing 230

    DNS-Based Authentication of Named Entities (DANE) 230

    Email Security 232

    Email and DNS 233

    DNS Block Listing 237

    Sender Policy Framework (SPF) 238

    Domain Keys Identified Mail (DKIM) 242

    Domain-Based Message Authentication, Reporting, and

    Conformance (DMARC) 245

    Securing Automated Information Exchanges 246

    Dynamic DNS Update Uniqueness Validation 246

    Storing Security-Related Information 247

    Other Security Oriented DNS Resource Record Types 247

    Summary 251

    14 DNS SECURITY EVOLUTION 253

    Appendix A: Cybersecurity Framework Core DNS Example 257

    Appendix B: DNS Resource Record Types 285

    Bibliography 291

    Index 299

    Recently viewed products

    © 2026 Book Curl

      • American Express
      • Apple Pay
      • Diners Club
      • Discover
      • Google Pay
      • Maestro
      • Mastercard
      • PayPal
      • Shop Pay
      • Union Pay
      • Visa

      Login

      Forgot your password?

      Don't have an account yet?
      Create account