1 00:00:00,000 --> 00:00:01,680 In this lesson, we're going to talk about 2 00:00:01,680 --> 00:00:03,900 securing the domain name system. 3 00:00:03,900 --> 00:00:06,090 The domain name system is a critical component 4 00:00:06,090 --> 00:00:08,070 in our networks because it's allowed to redirect 5 00:00:08,070 --> 00:00:10,050 network devices from one domain name 6 00:00:10,050 --> 00:00:12,210 to its associate IP address. 7 00:00:12,210 --> 00:00:14,460 If an attacker can gain control of your DNS server 8 00:00:14,460 --> 00:00:15,810 and change its contents, 9 00:00:15,810 --> 00:00:18,660 it can then reroute a normal request to a Compromise Server 10 00:00:18,660 --> 00:00:21,360 to collect additional information about your users. 11 00:00:21,360 --> 00:00:23,070 For example, if I was able to change 12 00:00:23,070 --> 00:00:24,780 the IP address of facebook.com 13 00:00:24,780 --> 00:00:26,910 and your internet service provider's DNS server, 14 00:00:26,910 --> 00:00:28,980 I can redirect every one of their clients 15 00:00:28,980 --> 00:00:31,050 to a Compromise Server that I control 16 00:00:31,050 --> 00:00:33,270 that may look and feel just like Facebook 17 00:00:33,270 --> 00:00:35,070 and whenever their users attempt to log in, 18 00:00:35,070 --> 00:00:37,560 I can actually copy their usernames and passwords down 19 00:00:37,560 --> 00:00:39,750 and then redirect them to the real Facebook page 20 00:00:39,750 --> 00:00:41,820 while I keep a copy of their login credential data 21 00:00:41,820 --> 00:00:44,730 for myself to use later on as an identity thief 22 00:00:44,730 --> 00:00:46,680 or some other type of attack against them 23 00:00:46,680 --> 00:00:48,360 and their Facebook friends. 24 00:00:48,360 --> 00:00:50,730 Unfortunately, when DNS was first created, 25 00:00:50,730 --> 00:00:53,190 security wasn't really a big consideration for us, 26 00:00:53,190 --> 00:00:55,590 and this means that DNS is susceptible to various forms 27 00:00:55,590 --> 00:00:57,420 of manipulation and attack. 28 00:00:57,420 --> 00:00:58,740 To secure this critical portion 29 00:00:58,740 --> 00:01:00,150 of our network infrastructure, 30 00:01:00,150 --> 00:01:01,830 several security measures have been developed 31 00:01:01,830 --> 00:01:04,650 over the years, including DNS security extensions, 32 00:01:04,650 --> 00:01:08,580 DNS over HTTPS, and DNS over TLS. 33 00:01:08,580 --> 00:01:11,340 First, we have the DNS security extensions. 34 00:01:11,340 --> 00:01:13,800 The DNS security extensions usually referred to 35 00:01:13,800 --> 00:01:15,690 by its acronym of DNSSEC, 36 00:01:15,690 --> 00:01:18,630 provides a digital tamper-proof seal for your DNS data 37 00:01:18,630 --> 00:01:20,460 to ensure that the information reaching your device 38 00:01:20,460 --> 00:01:23,400 is exactly what that server intended to send you. 39 00:01:23,400 --> 00:01:25,170 This is achieved through a sophisticated system 40 00:01:25,170 --> 00:01:26,550 of cryptographic signatures, 41 00:01:26,550 --> 00:01:28,620 they're attached to your DNS data. 42 00:01:28,620 --> 00:01:31,410 These signatures are verified against the chain of trust, 43 00:01:31,410 --> 00:01:34,050 all the way up to a globally recognized anchor. 44 00:01:34,050 --> 00:01:37,050 With DNSSEC, even if an attacker redirects your traffic 45 00:01:37,050 --> 00:01:39,900 using a falsified DNS record, the lack of a valid 46 00:01:39,900 --> 00:01:42,480 cryptographic signature will make it easy to spot 47 00:01:42,480 --> 00:01:45,240 and prevent a successful exploitation from occurring. 48 00:01:45,240 --> 00:01:47,430 Without that trusted seal, the system knows 49 00:01:47,430 --> 00:01:49,320 it shouldn't trust this misleading direction 50 00:01:49,320 --> 00:01:52,350 and will treat it as suspicious or malicious in nature. 51 00:01:52,350 --> 00:01:55,110 However, DNSSEC with all its robustness 52 00:01:55,110 --> 00:01:57,660 doesn't actually encrypt any of your DNS data. 53 00:01:57,660 --> 00:02:00,210 So if anyone is listening on the network, they can still see 54 00:02:00,210 --> 00:02:01,920 where you're heading to on the internet, 55 00:02:01,920 --> 00:02:03,720 even if they can't tamper with the contents 56 00:02:03,720 --> 00:02:05,610 of that DNS packet. 57 00:02:05,610 --> 00:02:08,880 Second, we have DNS over HTTPS. 58 00:02:08,880 --> 00:02:12,780 Now, DNS over HTTPS or DoH as it's abbreviated, 59 00:02:12,780 --> 00:02:14,310 is used to send our DNS queries 60 00:02:14,310 --> 00:02:17,400 through the HTTPS protocol, which is the same protocol 61 00:02:17,400 --> 00:02:18,840 that secures your data when you're entering 62 00:02:18,840 --> 00:02:21,060 sensitive information on a website. 63 00:02:21,060 --> 00:02:23,610 This not only encrypts the contents of your DNS queries, 64 00:02:23,610 --> 00:02:25,500 but it also blends it seamlessly with the rest 65 00:02:25,500 --> 00:02:28,140 of your HTTPS traffic to make it more difficult 66 00:02:28,140 --> 00:02:29,670 for eavesdroppers to single out 67 00:02:29,670 --> 00:02:32,340 and keep track of your DNS requests. 68 00:02:32,340 --> 00:02:34,980 Third, we have DNS over TLS. 69 00:02:34,980 --> 00:02:38,130 DNS over TLS, or DoT as it's abbreviated 70 00:02:38,130 --> 00:02:40,440 takes a different approach to securing your DNS queries 71 00:02:40,440 --> 00:02:41,880 while they're in transit. 72 00:02:41,880 --> 00:02:43,440 Instead of saying our DNS traffic 73 00:02:43,440 --> 00:02:45,930 over an encrypted HTTPS connection, 74 00:02:45,930 --> 00:02:48,180 we instead going to encapsulate our DNS traffic 75 00:02:48,180 --> 00:02:51,000 inside of a transport layer security tunnel. 76 00:02:51,000 --> 00:02:55,350 Like DNS over HTTPS, DNS over TLS will provide privacy 77 00:02:55,350 --> 00:02:56,610 for your DNS data 78 00:02:56,610 --> 00:02:59,010 because it's encrypted, so the attacker cannot eavesdrop 79 00:02:59,010 --> 00:03:01,590 on the conversation and determine what DNS records 80 00:03:01,590 --> 00:03:03,060 you've been querying. 81 00:03:03,060 --> 00:03:05,370 Now, both DNS over HTTPS 82 00:03:05,370 --> 00:03:08,100 and DNS over transport layer security tunnels 83 00:03:08,100 --> 00:03:11,370 address a critical issue in internet privacy by preventing 84 00:03:11,370 --> 00:03:14,250 what is known as DNS snooping, where the prying eyes 85 00:03:14,250 --> 00:03:16,410 of an attacker will monitor DNS queries 86 00:03:16,410 --> 00:03:18,990 to infer what websites a user is visiting. 87 00:03:18,990 --> 00:03:22,020 By encrypting these queries, DNS over HTTPS 88 00:03:22,020 --> 00:03:25,080 and DNS over TLS can ensure that your online activities 89 00:03:25,080 --> 00:03:27,480 are shielded from unwanted scrutiny. 90 00:03:27,480 --> 00:03:30,180 Securing DNS is not just about privacy, though, 91 00:03:30,180 --> 00:03:32,400 it's also about integrity and trust. 92 00:03:32,400 --> 00:03:34,620 By implementing DNSSEC, DoH, 93 00:03:34,620 --> 00:03:37,740 and DoT, we're not just securing a technical process, 94 00:03:37,740 --> 00:03:39,240 but we're actually safeguarding trust 95 00:03:39,240 --> 00:03:40,710 in the digital ecosystem 96 00:03:40,710 --> 00:03:42,840 to ensure that the invisible pathways that our data 97 00:03:42,840 --> 00:03:44,580 is going to lead us to are going to take us 98 00:03:44,580 --> 00:03:48,180 to the right destinations that are unspoiled and unscathed. 99 00:03:48,180 --> 00:03:50,940 In practice, adopting these technologies does involve 100 00:03:50,940 --> 00:03:53,340 a collaborative effort by various stakeholders. 101 00:03:53,340 --> 00:03:55,590 Website owners have to embrace DNSSEC 102 00:03:55,590 --> 00:03:58,200 to protect their domain names and internet service providers 103 00:03:58,200 --> 00:04:01,080 and organizations also need to consider supporting DoH 104 00:04:01,080 --> 00:04:03,990 and DoT by offering their users a secure pathway 105 00:04:03,990 --> 00:04:05,760 for their DNS queries. 106 00:04:05,760 --> 00:04:07,980 However, it's essential to navigate this road 107 00:04:07,980 --> 00:04:10,170 with an understanding of its nuances. 108 00:04:10,170 --> 00:04:13,230 For instance, while DoH offers exceptional privacy 109 00:04:13,230 --> 00:04:16,170 by blending DNS queries with regular web traffic, 110 00:04:16,170 --> 00:04:18,660 it also shifts the control of the DNS resolution 111 00:04:18,660 --> 00:04:19,800 from your local network, 112 00:04:19,800 --> 00:04:22,200 perhaps managed by your organization or ISP 113 00:04:22,200 --> 00:04:25,860 over to a third party DNS over HTTPS provider. 114 00:04:25,860 --> 00:04:28,200 This shift calls for a thoughtful balancing act 115 00:04:28,200 --> 00:04:29,700 between privacy, control 116 00:04:29,700 --> 00:04:31,560 and trust that requires each entity 117 00:04:31,560 --> 00:04:33,900 to carefully choose their partners in achieving this level 118 00:04:33,900 --> 00:04:35,280 of digital security. 119 00:04:35,280 --> 00:04:38,010 So remember, when it comes to securing DNS, 120 00:04:38,010 --> 00:04:39,840 you need to remember that we aren't just trying to protect 121 00:04:39,840 --> 00:04:42,000 our data, but we also need to preserve some trust 122 00:04:42,000 --> 00:04:45,180 and reliability for our networks and the internet at large. 123 00:04:45,180 --> 00:04:48,115 By understanding and implementing DNSSEC, DoH, 124 00:04:48,115 --> 00:04:51,090 and DoT, we're not just fortifying our digital defenses, 125 00:04:51,090 --> 00:04:53,790 we're actually nurturing a secure, trustworthy environment 126 00:04:53,790 --> 00:04:56,703 for the free flow of information, ideas, and innovation.