# #560: The one BIG mistake you are making with DNS security today Page: https://stenobird.com/podcast/david-bombal-5315180/560-the-one-big-mistake-you-are-making-with-dns-security-today Text version: https://stenobird.com/podcast/david-bombal-5315180/560-the-one-big-mistake-you-are-making-with-dns-security-today.md Podcast: [David Bombal](https://stenobird.com/podcast/david-bombal-5315180) Published: 2026-03-18T14:34:04+00:00 Episode link: https://soundcloud.com/davidbombal/560-the-one-big-mistake-you Audio file: https://feeds.soundcloud.com/stream/2286102878-davidbombal-560-the-one-big-mistake-you.mp3 Processing state: not_requested JSON: https://stenobird.com/v1/public/podcasts/david-bombal-5315180/episodes/560-the-one-big-mistake-you-are-making-with-dns-security-today Duration seconds: 3485 ## Resource Big thank you to Infoblox for sponsoring this video. To learn more about Infoblox please visit: https://www.infoblox.com/ Do you know the difference between encrypted DNS and secure DNS? DNS veteran Cricket Liu, author of DNS and Bind, joins David Bombal to break down common misconceptions, explain the crucial distinction between security and privacy; and outline a massive update to the NIST Secure DNS Deployment Guide (SP 800-81). If you run a network, you cannot afford to ignore this control point. Detailed Breakdown: DNS is the Achilles' heel of internet infrastructure. While newer protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) solve the cleartext privacy problem, they do not stop malware, phishing, or data exfiltration. In fact, attackers are now using encrypted DNS against us. In this deep-dive interview, Cricket Liu explains how DNS security must evolve beyond simple encryption to include Protective DNS (PDNS) using Response Policy Zones (RPZ). Learn how to turn your existing DNS infrastructure into a low-cost, high-efficiency control point that blocks malicious C2 rendezvous, phishing links, and DNS tunneling automatically. We also tackle the DNSSEC confusion head-on. Cricket clarifies exactly why DNSSEC is about validation and integrity, not encryption, and discusses the looming threat of quantum computing on modern cryptographic standards. Finally, we discuss real-world attack vectors, including a wild story about a dangling CNAME record on CDC.gov that was hijacked to game search engine rankings, and how the updated NIST guide shifts focus from just network administrators to security practitioners. // Links to documents // NIST SP 800-81: https://nvlpubs.nist.gov/nistpubs/Spe... Inflox Q&A on NIST SP 800-81: https://www.infoblox.com/blog/securit..… ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/david-bombal-5315180/episodes/560-the-one-big-mistake-you-are-making-with-dns-security-today/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/david-bombal-5315180/560-the-one-big-mistake-you-are-making-with-dns-security-today.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.