Stenobird

Episode

#560: The one BIG mistake you are making with DNS security today

Podcast
David Bombal
Published
Mar 18, 2026
Duration seconds
3485
Processing state
not_requested
Canonical source
https://soundcloud.com/davidbombal/560-the-one-big-mistake-you
Audio
https://feeds.soundcloud.com/stream/2286102878-davidbombal-560-the-one-big-mistake-you.mp3
JSON
/v1/public/podcasts/david-bombal-5315180/episodes/560-the-one-big-mistake-you-are-making-with-dns-security-today
Markdown
/podcast/david-bombal-5315180/560-the-one-big-mistake-you-are-making-with-dns-security-today.md

Actions

  • POST https://stenobird.com/v1/public/podcasts/david-bombal-5315180/episodes/560-the-one-big-mistake-you-are-making-with-dns-security-today/transcription-requests
    Idempotently request low-priority transcript generation for this episode.
  • GET https://stenobird.com/podcast/david-bombal-5315180/560-the-one-big-mistake-you-are-making-with-dns-security-today.md
    Read the agent-friendly Markdown representation of this episode resource.

Summary

Big thank you to Infoblox for sponsoring this video. To learn more about Infoblox please visit: https://www.infoblox.com/ Do you know the difference between encrypted DNS and secure DNS? DNS veteran Cricket Liu, author of DNS and Bind, joins David Bombal to break down common misconceptions, explain the crucial distinction between security and privacy; and outline a massive update to the NIST Secure DNS Deployment Guide (SP 800-81). If you run a network, you cannot afford to ignore this control point. Detailed Breakdown: DNS is the Achilles' heel of internet infrastructure. While newer protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) solve the cleartext privacy problem, they do not stop malware, phishing, or data exfiltration. In fact, attackers are now using encrypted DNS against us. In this deep-dive interview, Cricket Liu explains how DNS security must evolve beyond simple encryption to include Protective DNS (PDNS) using Response Policy Zones (RPZ). Learn how to turn your existing DNS infrastructure into a low-cost, high-efficiency control point that blocks malicious C2 rendezvous, phishing links, and DNS tunneling automatically. We also tackle the DNSSEC confusion head-on. Cricket clarifies exactly why DNSSEC is about validation and integrity, not encryption, and discusses the looming threat of quantum computing on modern cryptographic standards. Finally, we discuss real-world attack vectors, including a wild story about a dangling CNAME record on CDC.gov that was hijacked to game search engine rankings, and how the updated NIST guide shifts focus from just network administrators to security practitioners. // Links to documents // NIST SP 800-81: https://nvlpubs.nist.gov/nistpubs/Spe... Inflox Q&A on NIST SP 800-81: https://www.infoblox.com/blog/securit..…