Listen to this Post
In January 2019, the Cybersecurity and Infrastructure Security Agency issued their first-ever Emergency Directive following widespread DNS cyberattacks on Federal Agencies. M-19-01 was solely focused on DNS Manipulation and Abuse. In 2020, Microsoft issued CVE-2020-1350 (SIGRed), which carried a CVSS of 10. SIGRed was a long-term DNS exploit. In 2016, the Mirai Botnet DDoS/DNS attack took out large swathes of the Internet and global companies. In 2022, the White House and the EU Commission, within days of the Cyberwars upon Ukraine, issued separate papers on DNS, citing it over 1000 times. Let us not forget the SolarWinds DNS attack that surfaced in December 2020. Yet, CISSP barely mentions DNS – and hasn’t done so since inception, no more than Academia does and all manner of Cyber Certifications.
It is little wonder many highly qualified, and certified, often 30-year plus Cyber Security experts DO NOT know and confide in me they’ve learnt more about these critical areas from me, than their years of continuous learning. It is no wonder these critical and continually exploited areas are overlooked and ignored. Cyber Certificates and Academia fail – shockingly, by design, to teach them. You cannot secure or defend what you do not know about, and that is just how it’s intended to be and to enable cyberattacks, cyberwar, and citizens’ dependency.
Stuxnet was sophisticated, of that there is little doubt, ‘common or garden’ cyberattacks that exploit DNS and PKI errors are not. They are basic security failings that are glossed over at best or not even included in today’s certifications.
You Should Know:
1. DNS Security Best Practices:
- Implement DNSSEC (Domain Name System Security Extensions) to protect against DNS spoofing.
- Regularly update and patch DNS servers to protect against vulnerabilities like SIGRed.
- Monitor DNS traffic for unusual patterns that could indicate a DNS attack.
2. PKI Security Best Practices:
- Regularly rotate and manage cryptographic keys.
- Implement strong access controls to protect private keys.
- Use Hardware Security Modules (HSMs) to securely store keys.
3. Linux Commands for DNS and PKI:
- Check DNS Records: Use `dig` or `nslookup` to query DNS records.
dig example.com nslookup example.com
- DNSSEC Validation: Use `dig` to check DNSSEC validation.
dig example.com +dnssec
- Check SSL/TLS Certificates: Use `openssl` to check the validity of SSL/TLS certificates.
openssl s_client -connect example.com:443 -showcerts
4. Windows Commands for DNS and PKI:
- Check DNS Records: Use `nslookup` to query DNS records.
nslookup example.com
- Check SSL/TLS Certificates: Use `certutil` to check the validity of SSL/TLS certificates.
certutil -url example.com
5. Monitoring and Logging:
- Use tools like `tcpdump` or `Wireshark` to capture and analyze DNS traffic.
- Implement centralized logging using tools like `Syslog` or `ELK Stack` to monitor DNS and PKI-related events.
6. Incident Response:
- Develop and regularly update an incident response plan that includes DNS and PKI-related incidents.
- Conduct regular drills to ensure your team is prepared to respond to DNS and PKI attacks.
What Undercode Say:
The importance of DNS and PKI in cybersecurity cannot be overstated. Despite their critical role in the security infrastructure, they are often overlooked in certifications like CISSP. To truly secure your organization, you must go beyond certifications and continuously educate yourself on these vital areas. Implement best practices, use the right tools, and stay vigilant against emerging threats. Cybersecurity is not just about having the right certifications; it’s about having the right knowledge and skills to protect your organization.
Expected Output:
- Implement DNSSEC and regularly update DNS servers.
- Use `dig` and `nslookup` for DNS queries.
- Use `openssl` and `certutil` to check SSL/TLS certificates.
- Monitor DNS traffic with tools like `tcpdump` and
Wireshark. - Develop and regularly update an incident response plan.
References:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



