#560: The one BIG mistake you are making with DNS security today

Mar 18, 2026

Cricket Liu, longtime DNS expert and author of DNS and BIND, explains why DNS remains the internet’s weakest link. He contrasts encrypted DNS with protective DNS, outlines RPZ defenses, clarifies DNSSEC’s role as validation not encryption, and warns how encrypted DNS can be abused for exfiltration. He also highlights NIST SP 800-81 updates and practical hardening steps for real-world networks.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ADVICE

Use RPZ To Block Malicious Domains

Do deploy Protective DNS (PDNS) using Response Policy Zones to block known-malicious domains at the DNS layer.
RPZ lets you subscribe to threat feeds and return NXDOMAIN or a blocking IP to stop C2, phishing, and DNS tunneling.

ADVICE

Subscribe To RPZ Feeds For Timely Protection

Do subscribe to RPZ threat feeds from trusted providers and configure your DNS servers as secondaries to automatically receive updates.
RPZ uses DNS zone transfer/notify so even very large feeds can be distributed incrementally to maintain timeliness.

INSIGHT

Encrypted DNS Creates Visibility Tradeoffs

Encrypted DNS can reduce enterprise visibility and break internal monitoring tools if clients bypass internal resolvers.
Allowing client DoH/DoT to external resolvers hides queries from IDS/IPS and hampers troubleshooting.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Big thank you to Infoblox for sponsoring this video. To learn more about Infoblox please visit: https://www.infoblox.com/ Do you know the difference between encrypted DNS and secure DNS? DNS veteran Cricket Liu, author of DNS and Bind, joins David Bombal to break down common misconceptions, explain the crucial distinction between security and privacy; and outline a massive update to the NIST Secure DNS Deployment Guide (SP 800-81). If you run a network, you cannot afford to ignore this control point. Detailed Breakdown: DNS is the Achilles' heel of internet infrastructure. While newer protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) solve the cleartext privacy problem, they do not stop malware, phishing, or data exfiltration. In fact, attackers are now using encrypted DNS against us. In this deep-dive interview, Cricket Liu explains how DNS security must evolve beyond simple encryption to include Protective DNS (PDNS) using Response Policy Zones (RPZ). Learn how to turn your existing DNS infrastructure into a low-cost, high-efficiency control point that blocks malicious C2 rendezvous, phishing links, and DNS tunneling automatically. We also tackle the DNSSEC confusion head-on. Cricket clarifies exactly why DNSSEC is about validation and integrity, not encryption, and discusses the looming threat of quantum computing on modern cryptographic standards. Finally, we discuss real-world attack vectors, including a wild story about a dangling CNAME record on CDC.gov that was hijacked to game search engine rankings, and how the updated NIST guide shifts focus from just network administrators to security practitioners. // Links to documents // NIST SP 800-81: https://nvlpubs.nist.gov/nistpubs/Spe... Inflox Q&A on NIST SP 800-81: https://www.infoblox.com/blog/securit... // Cricket Liu’s SOCIAL // LinkedIn: / cricketliu // Renee Burton’s SOCIAL // LinkedIn: / ren%c3%a9e-burton-b7161110b Blog Posts: https://www.infoblox.com/blog/author/... // Infoblox SOCIAL // LinkedIn: / infoblox Website: https://www.infoblox.com/ // Books by Cricket // DNS on Windows Server 2003: Mastering the Domain Name US: https://amzn.to/4byNAtQ UK: https://amzn.to/4rjqgoz DNS & BIND Cookbook: Solutions & Examples for System Administrators 1st Edition US: https://amzn.to/40iZPob UK: https://amzn.to/3Nk2MBM DNS and BIND on IPv6: DNS for the Next-Generation Internet 1st Edition US: https://amzn.to/3MXly1Y UK: https://amzn.to/4s2SFRe Learning CoreDNS: Configuring DNS for Cloud Native Environments 1st Edition US: https://amzn.to/4sC4GwS UK: https://amzn.to/4ro0T59 DNS & Bind 4th Edition: US: https://amzn.to/4s8WaWm UK: https://amzn.to/4sztLbB // Website REFERENCE // Nist: https://www.nist.gov/ Secure Domain Name System Deployment Guide: https://www.nist.gov/news-events/news... // David's SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: www.twitter.com/davidbombal Instagram: www.instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: www.facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal YouTube: / @davidbombal Spotify: open.spotify.com/show/3f6k6gE... SoundCloud: / davidbombal Apple Podcast: podcasts.apple.com/us/podcast... // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only. #dns #dnssec #cybersecurity