DNS over HTTPS (DoH) and other encrypted DNS protocols like DNS over TLS (DoT) & DNS over QUIC (DoQ) enhances user privacy and security by encrypting DNS queries in transit, shielding them from eavesdropping, tampering, and censorship on untrusted networks. This prevents ISPs and local attackers from logging or manipulating ... Read More

In a default-deny world, where only verified sources and verified destinations are allowed, which require a successful policy-allowed DNS resolution, many modern threats are mitigated, and there’s demonstrable value in choosing this path, including being able to enforce “My network, my rules” approach to egress control. However, in this world ... Read More

Love them or hate them, defenders must handle with care Introduction I will never forget sourcing my first Swiss Army knife. It was the coolest thing I could possess in grade school. While I could only think of the cool things I could do with it, I was shocked that ... Read More

Why endpoint secure DNS adoption matters In a world where we have security options (this is 2025, after all), and yet we don’t bother accessing them, it’s like having vegetables and protein at the buffet but all we eat is the desert. No wonder we’re not doing as well as ... Read More

After this week’s attention to META and Yandex localhost abuses, it is time to revisit a core feature/option of protective DNS that offers a feel-good moment to those that applied this safety technique long before this abuse report came about. The in-depth report that triggered this is: Disclosure: Covert Web-to-App ... Read More

Encrypted Client Hello (ECH) has been in the news a lot lately. For some background and relevant and recent content, see: IETF Proposed Standard Cloudflare Blog from 2023 announcing ECH support RSA 2025 talk: ECH: Hello to Enhanced Privacy or Goodbye to Visibility? Corrata White Paper “Living with ECH” Security ... Read More

From time to time this discussion comes up in support and in various forums over the years. I wanted to have a simple article for this to be easily understood. What problem does hairpin NAT and/or split-DNS solve? Whenever we host content on our internal network that is publicly accessible ... Read More

First, a little history When I zoom out on our timeline, I can so clearly recall when the day came that we had the facility to connect computers to each other, operate in a network, and no longer operate as individual standalone hosts that relied on some sort of tape ... Read More

What is DNS Server Pinning? Who needs yet another description of how to use DNS with best practices at a network level? Say no more, we’re adding to the dictionary, albeit not nearly as proliferously as Mr. William Shakespeare. Imagine if he was alive today in the world of cyber! ... Read More

Brian Krebs published this very detailed article today: krebsonsecurity.com Infrastructure Laundering: Blending in with the Cloud – Krebs on Security In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major ... Read More