Big thank you to Infoblox for sponsoring this video.  To learn more about Infoblox please visit:  https://www.infoblox.com/ 

Do you know the difference between encrypted DNS and secure DNS? DNS veteran Cricket Liu, author of DNS and Bind, joins David Bombal to break down common misconceptions, explain the crucial distinction between security and privacy; and outline a massive update to the NIST Secure DNS Deployment Guide (SP 800-81). If you run a network, you cannot afford to ignore this control point.

Detailed Breakdown: 
DNS is the Achilles' heel of internet infrastructure. While newer protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) solve the cleartext privacy problem, they do not stop malware, phishing, or data exfiltration. In fact, attackers are now using encrypted DNS against us.

In this deep-dive interview, Cricket Liu explains how DNS security must evolve beyond simple encryption to include Protective DNS (PDNS) using Response Policy Zones (RPZ). Learn how to turn your existing DNS infrastructure into a low-cost, high-efficiency control point that blocks malicious C2 rendezvous, phishing links, and DNS tunneling automatically.

We also tackle the DNSSEC confusion head-on. Cricket clarifies exactly why DNSSEC is about validation and integrity, not encryption, and discusses the looming threat of quantum computing on modern cryptographic standards. Finally, we discuss real-world attack vectors, including a wild story about a dangling CNAME record on CDC.gov that was hijacked to game search engine rankings, and how the updated NIST guide shifts focus from just network administrators to security practitioners.

// Links to documents //
NIST SP 800-81: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.ipd.pdf
Inflox Q&A on  NIST SP 800-81: 
https://www.infoblox.com/blog/security/what-is-nist-sp-800-81-a-complete-faq-on-the-latest-draft-of-nist-secure-dns-deployment-guide/

// Cricket Liu’s SOCIAL // 
LinkedIn:  https://www.linkedin.com/in/cricketliu/ 

// Renee Burton’s SOCIAL // 
LinkedIn:  https://www.linkedin.com/in/ren%C3%A9e-burton-b7161110b/ 
Blog Posts:  https://www.infoblox.com/blog/author/renee-burton/ 

// Infoblox SOCIAL // 
LinkedIn:  https://www.linkedin.com/company/infoblox/ 
Website:  https://www.infoblox.com/ 

// Books by Cricket // 
DNS on Windows Server 2003: Mastering the Domain Name 
US:  https://amzn.to/4byNAtQ 
UK: https://amzn.to/4rjqgoz 
DNS & BIND Cookbook: Solutions & Examples for System Administrators 1st Edition 
US:  https://amzn.to/40iZPob 
UK: https://amzn.to/3Nk2MBM 
DNS and BIND on IPv6: DNS for the Next-Generation Internet 1st Edition 
US: https://amzn.to/3MXly1Y 
UK:  https://amzn.to/4s2SFRe 
Learning CoreDNS: Configuring DNS for Cloud Native Environments 1st Edition 
US: https://amzn.to/4sC4GwS 
UK: https://amzn.to/4ro0T59 
DNS & Bind 4th Edition: 
US:   https://amzn.to/4s8WaWm 
UK:  https://amzn.to/4sztLbB 

// Website REFERENCE // 
Nist:  https://www.nist.gov/ 

Secure Domain Name System Deployment Guide:  https://www.nist.gov/news-events/news/2025/04/secure-domain-name-system-dns-deployment-guide-comment-nist-sp-800-81r3 

// David's SOCIAL //  
Discord: https://discord.com/invite/usKSyzb  
X: https://www.twitter.com/davidbombal  
Instagram: https://www.instagram.com/davidbombal  
LinkedIn: https://www.linkedin.com/in/davidbombal  
Facebook: https://www.facebook.com/davidbombal.co  
TikTok: http://tiktok.com/@davidbombal  
YouTube: https://www.youtube.com/@davidbombal 
Spotify:  https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ 
SoundCloud:  https://soundcloud.com/davidbombal 
Apple Podcast:  https://podcasts.apple.com/us/podcast/david-bombal/id1466865532 

// MY STUFF // 
https://www.amazon.com/shop/davidbombal  

// SPONSORS //  
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com 

// MENU // 
0:00 - Coming up 
01:19 - Sponsored video disclaimer 
01:45 - Cricket Liu books and introduction 
07:06 - The problems of DNS 
10:33 - DNS security 
13:51 - How protective DNS works 
16:26 - The DNS Deployment Guide by NIST 
22:00 - How protective DNS stops malware and malicious sites 
23:48 - Pros and Cons of encrypted DNS 
32:29 - Quantum computing and DNS 
33:47 - DNS Sec is not encryption 
36:18 - Validating data 
40:04 - Protecting DNS 
49:21 - Lessons learned // Story time 
52:54 - Why the DNS Deployment Guide matters 
55:30 - Top 3 things to protect your organization/business from cyber attacks 
56:56 - Conclusion 

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!  

Disclaimer: This video is for educational purposes only. 
#dns #dnssec #cybersecurity

David Bombal

An in-depth interview with Cricket Liu, co-author of NIST Special Publication 800-81 (Secure DNS Deployment Guide), covering the full spectrum of DNS security. Key topics include: the difference between encrypted DNS (DoT, DoH, DoQ) and DNSSEC, protective DNS using Response Policy Zones (RPZ) to block malware C2 and phishing domains, DNS infrastructure hardening against DDoS amplification attacks, DNS hygiene issues like dangling CNAME records (illustrated by a real CDC.gov subdomain hijack), typosquatting and homograph attacks, and quantum computing implications for DNS cryptography. The top three recommendations are: implement protective DNS, secure your DNS infrastructure, and prepare for encrypted DNS adoption.

The one BIG mistake you are making with DNS security today