The one BIG mistake you are making with DNS security today

NOTE: There was an upload issue with this video. You can watch the fixed video here: The one BIG mistake you are making with DN… – apologies for the issue.

Big thank you to Infoblox for sponsoring this video. To learn more about Infoblox please visit: https://www.infoblox.com/

D

o you know the difference between encrypted DNS and secure DNS? DNS veteran Cricket Liu, author of DNS and Bind, joins David Bombal to break down common misconceptions, explain the crucial distinction between security and privacy; and outline a massive update to the NIST Secure DNS Deployment Guide (SP 800-81). If you run a network, you cannot afford to ignore this control point.

Detailed Breakdown:
DNS is the Achilles’ heel of internet infrastructure. While newer protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) solve the cleartext privacy problem, they do not stop malware, phishing, or data exfiltration. In fact, attackers are now using encrypted DNS against us.

In this deep-dive interview, Cricket Liu explains how DNS security must evolve beyond simple encryption to include Protective DNS (PDNS) using Response Policy Zones (RPZ). Learn how to turn your existing DNS infrastructure into a low-cost, high-efficiency control point that blocks malicious C2 rendezvous, phishing links, and DNS tunneling automatically.

We also tackle the DNSSEC confusion head-on. Cricket clarifies exactly why DNSSEC is about validation and integrity, not encryption, and discusses the looming threat of quantum computing on modern cryptographic standards. Finally, we discuss real-world attack vectors, including a wild story about a dangling CNAME record on CDC.gov that was hijacked to game search engine rankings, and how the updated NIST guide shifts focus from just network administrators to security practitioners.

// Links to documents //
NIST SP 800-81: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.ipd.pdf
Inflox Q&A on NIST SP 800-81:
https://www.infoblox.com/blog/security/what-is-nist-sp-800-81-a-complete-faq-on-the-latest-draft-of-nist-secure-dns-deployment-guide/

// Cricket Liu’s SOCIAL //
LinkedIn: / cricketliu

// Renee Burton’s SOCIAL //
LinkedIn: / ren%c3%a9e-burton-b7161110b
Blog Posts: https://www.infoblox.com/blog/author/renee-burton/

// Infoblox SOCIAL //
LinkedIn: / infoblox
Website: https://www.infoblox.com/

// Books by Cricket //
DNS on Windows Server 2003: Mastering the Domain Name
US: https://amzn.to/4byNAtQ
UK: https://amzn.to/4rjqgoz
DNS & BIND Cookbook: Solutions & Examples for System Administrators 1st Edition
US: https://amzn.to/40iZPob
UK: https://amzn.to/3Nk2MBM
DNS and BIND on IPv6: DNS for the Next-Generation Internet 1st Edition
US: https://amzn.to/3MXly1Y
UK: https://amzn.to/4s2SFRe
Learning CoreDNS: Configuring DNS for Cloud Native Environments 1st Edition
US: https://amzn.to/4sC4GwS
UK: https://amzn.to/4ro0T59
DNS & Bind 4th Edition:
US: https://amzn.to/4s8WaWm

UK: https://amzn.to/4sztLbB

// Website REFERENCE //
Nist: https://www.nist.gov/

Secure Domain Name System Deployment Guide: https://www.nist.gov/news-events/news/2025/04/secure-domain-name-system-dns-deployment-guide-comment-nist-sp-800-81r3

// David’s Social //

================
Coect with me:
================
Discord: http://discord.davidbombal.com
X: https://www.x.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube Main https://www.youtube.com/davidbombal
YouTube Tech: https://www.youtube.com/chael/UCZTIRrENWr_rjVoA7BcUE_A
YouTube Clips: https://www.youtube.com/chael/UCbY5wGxQgIiAeMdNkW5wM6Q
YouTube Emerging Technologies: https://www.youtube.com/chael/UCbY5wGxQgIiAeMdNkW5wM6Q
YouTube Shorts: https://www.youtube.com/chael/UCEyCubIF0e8MYi1jkgVepKg
Apple Podcast: https://davidbombal.wiki/applepodcast
Spotify Podcast: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: / davidbombal

================
Support me:
================
Or, buy my CCNA course and support me:
DavidBombal.com: CCNA ($10): http://bit.ly/yt999ccna
Udemy CCNA Course: https://bit.ly/ccnafor10dollars
GNS3 CCNA Course: CCNA ($10): https://bit.ly/gns3ccna10

// MY STUFF //
https://www.amazon.com/shop/davidbombal

// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com

// MENU //
0:00 – Coming up
01:19 – Sponsored video disclaimer

01:45 – Cricket Liu books and introduction

07:06 – The problems of DNS
10:33 – DNS security
13:51 – How protective DNS works

16:26 – The DNS Deployment Guide by NIST

22:00 – How protective DNS stops malware and malicious sites

23:48 – Pros and Cons of encrypted DNS
32:29 – Quantum computing and DNS
33:47 – DNS Sec is not encryption
36:18 – Validating data
40:04 – Protecting DNS
49:21 – Lessons learned // Story time

52:54 – Why the DNS Deployment Guide matters

55:30 – Top 3 things to protect your organization/business from cyber attacks
56:56 – Conclusion

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Disclaimer: This video is for educational purposes only.
#dns #dnssec #cybersecurity

subscribe
  • David Bombal

Search

Categories

Recent Posts

The one BIG mistake you are making with DNS security today
Why liquid cooling is the ULTIMATE 2026 AI hardware shift
Four beginner Web hacking vulnerabilities (with demos) you need to learn in 2026
How to Use Splunk for free In 2026
Quantum Networking VS Encryption: The Cybersecurity Warning You Should be Aware Of
Every Reason Why I Hate AI and You Should Too
VirtualBox VM Escape: Integer Overflow Explained Clearly
How To Intercept SECRET IoT Camera Traffic On Linux Lab
AVOID the Grep Trap: Why Splunk is the Future of Networks
The Truth About AI: 6 Movies That Warned Humanity