CISA IR Training - Preventing DNS Infrastructure Tampering (IR206)

Just attended Preventing DNS Infrastructure Tampering (IR206) offered by CISA. I talked about these in a previous post and would encourage those eligible to register.

In the course we were given:

• A quick rundown of what DNS is and how it works
• Introduced to Certificate Transparency Logs
• Talked about DNSSEC
• Learned about techniques to tamper with DNS
• Discussed mitigation strategies

We also had three labs consisting of setting up A records on a Windows DNS Server, exploring various DNS related Powershell commands, examining Certificate Transparency logs, and setting up DNS sinkholing.

Thoughts

This was a very useful class for someone coming with little to no prior knowledge of DNS or how it works. Personally, I was a little letdown by the labs though I’m not sure what labs would be useful for the material presented. The way the DNS sinkholing lab is setup doesn’t actually sinkhole anything. I think it was due to limitations in the lab environment.

I enjoyed the discussions of past incidents involving DNS tampering. I remember reading about the brazilian bank and MyEtherWallet DNS hijacking incidents. The bank one will always amaze me with how utterly complete the hijacking’s impact was on services.

For me at least, the rest of the information presented wasn’t something new to me. This is obviously due to my professional background in web development and servers. Still useful to attend these trainings though. You never know if you’ll learn something new or old that you weren’t aware of before.