Explore DNS in enterprise incident response, collection, analysis, and response through this 47-minute conference talk from Derbycon 2016. Delve into critical data choices, border collection methods, and logging techniques including query resolution and protocol interpretation. Learn about rich myths, histogram preparation, isolation tunneling, and domain analysis. Discover where DNS queries should be rare, understand DNS tunneling and TXT records, and examine false positives, prefetch responses, and DNSSEC. Gain insights into RBZ (Response Policy Zones) and their implementation in incident response strategies.
Overview
Syllabus
Introduction
What is Coinbase
Data is critical
Three critical choices
Collect at your border
Query Resolution Logging
Protocol Interpretation Logging
Standalone DNS Logging
Rich Myths
Preparing
Histogram
Isolation tunneling
Domains
Where should be rare
DNS Tunnel
TXT Records
False Positives
Prefetch
Response
RBZ
DNSSEC
Go RBZ
