IN THIS CHAPTER

Understanding how DNSSEC can protect your DNS services

Examining DANE and how it complements DNSSEC

Securing DNS with HTTPS

Domain Name System (DNS) is a requirement of Active Directory and is what makes networks easier to work with. With DNS, you don’t have to remember IP addresses — you can just remember simple names instead. Imagine, though, that a criminal was able to make your systems believe that their DNS server was your DNS server. You and your users could be redirected to a malicious site.

In this chapter, you learn how to secure your DNS infrastructure using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE).

Understanding DNSSEC

DNSSEC was designed to prevent attackers from hijacking the DNS lookup process and protect users from being given addresses to malicious servers. DNSSEC signs zones and records, which allows the endpoint that made the query to validate that a DNS record is a valid record, or if it’s redirecting to an invalid and potentially malicious location instead (DNS cache poisoning).

By digitally signing the root zone in your DNS infrastructure, you can give ...