In Episode 20 of The Defender’s Log, host David Redekop sits down with Amsterdam-based tech veteran Chris Buijs to discuss the often-overlooked backbone of internet security: DNS (Domain Name System).
The “Set-it-and-Forget-it” Trap
Buijs, who transitioned from an electrician to a network architect, notes that many organizations treat DNS as a “utility” rather than a security asset. Because services like Microsoft Active Directory include DNS by default, IT teams often adopt a passive, “next-next-finish” mentality.
“It’s the protocol with the most RFCs because we’re constantly building security and encryption on top of it,” Buijs explains. “But if DNS goes down, everything goes down. No IP, no business.”
Breaking Down Silos
A major hurdle in modern security is the disconnect between departments. In large enterprises, the Networking, Security, and DNS teams often operate in isolation. Buijs argues that for a true Zero Trust posture, DNS must be integrated into the core security architecture, not managed as a lonely outlier.
Key Takeaways for Defenders:
- Visibility is King: You cannot protect what you don’t measure. Use DNS logs to identify shadow IT and malicious behavior.
- Automate with Intent: While CI/CD and DevOps speed up deployment, they often create security gaps if DNS isn’t part of the automated template.
- The 5-Minute Rule: Scanners like Shodan and Censys can find a new public IP in minutes. If your DNS isn’t hardened (using tools like TSIG), you’re already exposed.
As the industry moves toward DevSecOps, DNS remains the first and last line of defense. Don’t let it be an afterthought.
Full episode of The Defender’s Log here:
Why DNS Is Your First Line of Cyber Defense | Chris Buijs | Defender’s Log
TL;DR
- Critical Infrastructure: If DNS fails, business stops; yet it’s often ignored as a “set-it-and-forget-it” utility.
- Siloed Teams: Disconnects between Networking, Security, and DNS teams create massive defensive gaps.
- Default Vulnerability: Standard “out-of-the-box” setups (like Active Directory) lack visibility and hardening.
- Automation Gaps: Modern CI/CD often neglects DNS architecture in favor of deployment speed.
- Instant Exposure: Scanners (Shodan/Censys) find new IPs in minutes; unhardened DNS is an immediate target.
- Protocol Abuse: DNS and NTP remain top vectors for amplification and DDoS attacks.
- Shrinking Expertise: Deep protocol knowledge is being replaced by “black box” cloud defaults.
- The Goal: Integrate DNS as your first and last line of defense.
Links
View it on YouTube: https://www.youtube.com/watch?v=O1j4eY-blfM
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/3l5QcgJeiDks4StxVHT1bA
ADAMnetworks
https://adamnet.works
Full Transcript: The Defender’s Log - Episode 020
Why DNS Is Your First Line of Cyber Defense
Intro: Deep in the digital shadows where threats hide behind any random byte. A fearless crew of cybersecurity warriors guards the line between chaos and order their epic battles rarely spoken of until today. Welcome to the Defender’s Log, where we crack open the secrets of top security chiefs, CISOs, and Architects who faced the abyss and won. Here’s your host, David Redekop.
David Redekop: Welcome back to The Defender’s Log. This is episode 20 and I’m really glad to have Chris Buijs with me today. Chris, welcome.
Chris Buijs: Thank you. Thank you for having me.
David Redekop: Did I pronounce your name properly?
Chris Buijs: “Boughs”. No, don’t worry about it. Everybody gets it wrong. Bujis.
David Redekop: You know, in Dale Carnegie training that I went through a number of times, a number of years ago, there was one particular episode, episode we call it, no, we call it a session. And in that session, it was about the importance of a name. It is literally the sweetest sound to your ear, having your own name. And so ever since then, it’s been important to me to at least attempt to pronounce the name correctly, so.
Chris Buijs: The effort is appreciated.
David Redekop: Yeah. Yes. And what does the name 20 mean to you? Anything at all?
Chris Buijs: 20. Yeah, I live in Amsterdam and 20 is the area number, the area phone number. So if you do some local services, like a website or stuff like that it’s common to say Company 20 or Company zero 20. We identify with the local Amsterdam vibe, if you like.
David Redekop: Amsterdam really in so many ways, is such a hub for tech, especially cyber tech. And I’ve noticed this, that if you were to tell me, or if you were to quiz me and say, what percentage of the web when it comes to technical internet engineering kind of discussions happens in what language? I would say English is number one and Dutch is probably close to number two. Would that seem to make sense?
Chris Buijs: Here in Amsterdam, you mean? No, it’s mostly English, I would say in the tech scene.
David Redekop: Right, absolutely. It is mostly English and in fact, I find that my Dutch friends are very often more competent in English than many Canadians and Americans are.
Chris Buijs: No, you hear it a lot and that’s why it’s also the #1 Expat spot in Europe, I would say, not by numbers, but by viability, I would say. But English is very, very common because we do a lot of technology here and innovation. But it’s mostly the written sort of it instead of the selling of it, I would say, if that makes any sense. So we do lots of innovation on standardizations, protocols, all kinds of tech. You know, how to do it, how to figure it out, you know, breaking it in and then give it to someone to make it or operate it. So all those manuals need to be in English. Otherwise, you know, it would not work. And we’re an import-export country from hundreds of years. So English was, you know, the way to conquer the Brits, right? And go to America, you know, we have lots of history there as well.
David Redekop: There is fascinating history and there’s a lot of details in written history or oral history at the time about what the Dutch represented to the British. And it wasn’t flattering, it was not positive at all. And the height and the blonde hair color was, you know, kind of used against the Dutch. That which stood out. Yeah, it’s almost comical looking back at it now. But, no, we’re definitely very grateful for all the Dutch contribution to making the internet a better place. Chris, you and I met online and through various online resources. All people DNS eventually connect with each other, right?
Chris Buijs: Oh, yeah. No, no. It’s a very small community if you think about it worldwide. We all know each other at one point of time, and if you don’t know someone, you’ll get introduced very quickly like we did as well. It’s fascinating stuff. DNS is fascinating and you need to have a knack for it, I think. And I think all the people I meet that stay in contact, they all have knack or is crazy or insane. It’s close to insanity, I would say, but it’s true. Yeah. You meet so much nice people and they are not many, but if you meet them, they are all great, somehow it’s a good club of people.
David Redekop: Yes. And it’s not a space that ever stands still. You would think that at some point we would reach a level of stability, a level of maturity, a level of, you know, steady state. And that we have yet to arrive at that because every single time there is a new dynamic in terms of how internet security develops. DNS necessarily needs to keep up, and yet we can’t break anything from the past, right? So there is this ongoing effort of keeping up with the new without breaking the past, and kind of gives an appreciation for, you know, what Microsoft does, you know. Let’s give credit where credit is due, that if you’re going to have a long living protocol or long living operating system, long living anything, and there’s a dynamic that requires you to keep up but not break anything. Over time, that does get complex. And so that’s where we are today.
Chris Buijs: Oh yeah. It’s a bolt-on protocol. And, you know, it is the protocol with the most RFCs or anything with the most RFCs anyway, because we’re building on all kinds of security features and encryption and all kinds of whatever because it’s important. So we stay moving in the direction of making it better, safer, faster, you know, whatever it is, right? So, yeah.
David Redekop: Right. When we first started writing our own resolver, it was like, “How many of these RFCs do we want to be compliant with?” And the list just kept on growing and growing and growing. Chris, I would be very interested for us and our audience to hear your origin story. What was your childhood like that led you down the path of being interested in technology in general?
Chris Buijs: I think it was around the time period where you had the Commodores and the Ataris and all the British boxes out there. That got me in because school started doing it as well. So I got introduced via school and via buddies, basically, and started programming because that’s what you did. Because you could not sell on the corner shop something software or game or whatever. So you wrote it yourself. So programming was really a thing that you did, at that time for educational purposes but also, you know, at home as hobby. So that got me in touch with technology, I would say, in the early age. And then later on, I kind of went into the electric engineering role, not because of it, but, there’s kind of a connecting story there to become an electrician. And one of my first jobs was, you know, pulling cables and rolls and all this kind of good stuff. And that was in the era that network cabling became a thing, you know, offices needed network cables to run Token Ring in that era of ATM. So I was the guy that was pulling those cables and so all these blinking lights in the closets and all this kind of stuff, and I said, that’s cool. So I started doing more and more. And when you get in touch with those people that need your cables, if you can say it like this, they’re gonna tell you a little bit of this, a little bit of that. And I find that highly interested. So I left electrician behind and went on some courses to, you know, for ICT or they call it, I think they still call it like this or IT, or whatever they call it, you know, but networking, basically, operational networking, build networks. So that was my first step. And this was all Token Ring IBM technology match, you know, as an Israeli clone of Token Ring, bit older networking software around it, protocols, lan manager was one of the first one I would say, Banyan VINES and NetWare, you know, SPX/ipx, all this kind of stuff. VIP, no, TCP/IP yet, it didn’t exist yet. It existed somewhere on ARPA or DARPA, but not on corporate networks yet. So, and then the story of this multi-stack started, you know, we had net bias even some TCP appear early, and we had multi-stack, and that was kind of unmanageable. And I go, and I went in that, I said, okay, I can build networks, I can architect them, I can physically build them. But now we also need to see how we can build them the best way to comprehend all this multi-stack mess. Because that was what it was and it was not as big as now, right? But it was expensive. Very expensive. It needs to be put into something to the equation of the bottom line. So it was lots of automation. You know, this was when PCs came in and all this kind of stuff. And that went well for a couple years. And then TCP only, TCP/IP only, networks, you know, and printless office. That was kind of the two things that were combined. So we went to TCP/IP and voila we also had ethernet now all of a sudden, so all this cabling stuff, we gonna do it again. And DHCP, DNS, NTP, NetBIOS, WINS, all this kind of protocols needed to be operating on the network to make sure that, you know, everything went from A to B. So multi-stack, one single stack tcp/ip only, and these networks were growing quite fast. This is the 90s, I would say, beginning half of the 90s, where we had so many protocols and IP addresses and stuff like that. We didn’t do Excel yet then. I think it was Just vi. Host files and vi. And that was an area where you started to say, hey, you know, we need to automate this. We cannot keep track. And if we can pull it from the network or push it to the network and configure it remotely, you know, the switches, these routers and all this kind of good stuff, you know, we do that. So we started writing our own scripts, you know, and maybe some software that was available from some network vendor. Started managing those networks to make 'em sizable. And this is where I got introduced mostly to the IP, DNS, DSP, NTP stuff. And I started looking for management software that does it. So we ended up with QIP, we were one of the first partners of Quadritek at the time that started QIP, which is DDI, you know, (DNS, DHCP, IPAM IP address management) to manage those networkers on the protocol level to make, you know, provision networks and make sure that if you plug something in, it gets an IP address and it works, you know, very exciting stuff. We took it from there and then we became kind of as a group of people that did stuff and we went away and more from the networking and more on the provisioning side of story. Big networks like enterprise network, telcos and all this kind of stuff. And the more we did that, the more we wanted to automate because first, it was static IP addressing, you know, it was not scalable at all. So DHP came in. And then Microsoft came along with their active directory crap. Sorry, I said that because it is, which was completely not scalable, but it came with all the services that you need to run a network without having knowledge. Right? And we saw that happening and it became quite messy in lots of environments. And we said, hey, you know, we need to do something, we need to push for better, higher grade services, network services, because this is important stuff. If a network service goes down, DNS goes down, everything goes down, right? No DHP, no IP address, no business. So that was really where we said, hey, we need to make this more serious. You know, we need to tell the market. That they need to take care of this, like security. You need to take care of provisioning, you need to take care of your assets. What’s happening on your network? Are you using it well? You know, can you improve it? Can you optimize it? All this kind of stuff. Which comes with the services because you just look at the logs, right? And then you get a lot of information, you can do something with it. So we did a lot of stuff there. And then there’s DNS thing, you know, caught my mind. And I love DNS, I really love it and you can use it for so many things. If you have the right version in the right spot, in the right architecture and those kind of stuff, you can really leverage it for a lot of stuff without spending a lot of money on security solutions, for example, or network management solutions that don’t make any sense. Because at that time, what you saw is, you know, you were running a Cisco network, you were not running a company network or you were running a checkpoint security network or infrastructure, not a company network infrastructure. Right? So you just copied what the vendor said and then you let it run and it came with all the software like Active Directory. Right? And what you saw is that the knowledge on this part became very scarce because you know, you switch it on, you know, we install a Microsoft Active Directory server and DHCP and DNS just runs, you know, and that’s fine. You know, it doesn’t break, it runs, it’s slow maybe, but, you know, no problem. So the knowledge on this kind of protocols and on this kind of level of networking and especially on the security side was very terse and we saw that as an opportunity, you know, and said, okay, we’re gonna take care of that for you and make sure that it is secure and is fast and nice and whatever and you’ll also have information and you have visibility and inventory and, you know, whatever you want. Right? So that was a good business. Still doing that till today where DNS is still, you know, one of my favorite hobbies professionally and privately and helping companies just to architect it Right. And include it in your security posture and include it in your architecture and don’t say, you know, oh, it comes with Microsoft. So we just switch it on and, you know, we’re on page 24 of the manual and we will be fine because that’s the recommendation, and that’s just not enough and this is knowledge-lack. So I try to spread knowledge on this, which becomes more and more difficult by the day. But it’s good for business because of it. So yeah, that’s kind of the story. I gave you the short one because it went, I can go very deep on a network level, especially on Cisco and Syslogging and query-logging and all this kind of stuff where you have feasibility kind of stuff. And then later on I was still doing that, but more in steering, leadership, evangelist, trainer kind of stuff, you know, to share this expertise and say, hey, we need more people that know this, so we get better networks out of it, which is needed still.
David Redekop: Very interesting, Chris. Very interesting. I’m gonna go back to your light bulb moment when you said DNS! This is it! This is the interesting thing! because everything that led up to that point was a series of steps to get to the point where DNS works, right? We sometimes have arguments about whether what kind of our protocol DNS is and what the level of the OSI it runs at, and my answer usually is, “well, everything from 2-7 depending on how you use it.” But at the end of the day, it’s a layer 7 application, so you need to have a number of building blocks in order to get there.
Chris Buijs: It’s funny that you said that, level 7. It’s a pain in my heart to admit that you’re right on it because I’m still a networker. For me, it’s level 3, all the way. Yeah. But from a perspective that you need to have. Absolutely. And it came again with this, I don’t wanna bash Microsoft Active Directory at all, but it came a little bit with Microsoft, where they positioned it as an application because it runs on an operating system and it makes complete sense and there was a light bulb moment there in as well where they said, hey, if you say level 7, there is all of a sudden more interest for it from the networking guys, from the security guys, from leadership, from decision makers and stuff like that, because then now they get it somehow because level 3 is, you know, that’s mystical and, you know, magic and all that kind of stuff. And then, you know, they made it more easier to sell it. I would say, from a product level or from a knowledge level or get buy-in and all this kind of stuff, so I fully agree. but I also disagree a little, you know, in my heart.
David Redekop: Yeah. No, I completely get, I completely get it. Especially because the things that are at layer 3 tend to be a set-it-and-forget-it kind of thing. And that’s where even to this day, a lot of layer 3 functionality is a monitor it, but you don’t need to have this continuous defense posture. And in your writing in SC Media, I noticed that you have pointed that out, that traditional IT Ops teams were used to this, a set-it-and-forget-it mentality, and now needed to make that shift towards Dev-Sec-Ops, where it’s about this continuous defense mindset. When did that first become obvious to you?
Chris Buijs: Well, downtime, right? That’s was the #1. You know, and it’s, you know, the haiku, “it’s always DNS.” This is how this, this is where it all started with where, you know, especially in the beginning when we transitioned from host files to DNS because you needed DNS for distribution and auto-updates and all this kind of good stuff, right? So now things became automated, so it also goes automatically wrong because it’s all new and all this kind of things. So we had massive downtimes, you know, and this was in a time, if it was down for an hour. It kind of was not nice, but, you know, we were not, you know, losing millions of dollars or millions of euros. Right. But nowadays, if DNS goes down, it’s not only the impact of the network owner, but it’s also affecting your business or, in the worst case, even business of other people. And then, you know, you always see it’s, I think a good example is Facebook and Cloudflares of this world that have an outage. And when it’s DNS, you notice, I always see a red flag. So if they know what it was, they immediately report on it an hour later, “we fixed it. This was it. Configuration issue, whatever, lalalalala.” But if it’s DNS, it’s always a week later, or it’s always two weeks later because they’re looking at the wrong places. They don’t do, you know, so I’m an old debugger on networks. I start with layer 0 and then go to layer up to layer seven, right? Not the other way down. And you see with, especially with SaaS and cloud, you know, they are level 7, right? So of course they’re gonna go from level 7 down, but it takes you a lot of time to do so, to do the debugging. So that was for me. Where I get like, okay, the impact of this is that “we need to do it well” because if I have a wrong comma in some text file, the business stands still. So this is how important it is, and it’s still difficult to sell this because, and it’s kind of a problem with DNS that it kind of always works, you know, set-it-and-forget-it, as you said. And if it works, it works well for a long time. And then when it goes down and there’s trouble. People have trouble to identify that it is DNS. They don’t automatically make the hook with DNS. I do it instantaneously. I go directly to DNS because I’m a DNS guy. Right. But most companies don’t and I think there’s a couple of reasons for this, which is kind of, it comes back to my storytelling to lots of companies as well. So, you know, who owns DNS in a company for example? You know, mostly it’s the networking guys, or it’s the Microsoft guys, but not the security guys, for example, or any mix, you know, depending on size of companies and all this kind of stuff. So before you get everybody on board and, you know, fixes broken communication between departments, you already have, you know, downtime grows. And that’s what I said earlier, it needs to be part of your architecture, DNS, DHP, and all this networking provisioning protocols need to be part of your architecture and part of your stack. So all this full-stack nonsense I’m hearing continuously nowadays with CI/CD and full-stack development and stuff like that. And they go like, “what are you using for DNS?” “Oh, it’s there, it’s in docker.” whatever. I said, no, see, there you go again. We automate the hell out of everything. Beautiful. Really I love it. But then we forgot DNS again, we’re happy to spend 10 million on a firewall, but 10,000 euros on a good DNS server is kind of the most difficult thing to do or something because it always is up. And it costs “nothing” (between quotes). This Microsoft servers, DNS is included, so it’s for free, right? Yeah. This is all nonsense of course, but this is the perception that you need to break and All companies, all bigger companies have this perception. It runs. We can blame Microsoft or we can blame some other vendor or whatever because it’s part of the architecture, because, you know, we’re using it.
David Redekop: I constantly see the same. You probably are also a witness to this, where 7, 8, 9 figure topline companies that have their endpoints’ DNS pointing directly to their active directory DNS. Just the prevalence of that one default alone tells me that you are right in your broader assessment that DNS is not thought about proactively. And we find the same thing about the DNS folks or the ones that carry that responsibility are very often not part the larger the organization, the more isolated they are and the less influence they have on the networking team, the less influence they have on the security team . so, in a larger enterprise, you we’re talking about dealing with three separate and distinct teams: security, networking, and the lonely DNS just to do DNS correctly, and then to try to corral 'em together to agree on something. Everybody feels like their domain is being trotted upon when a good idea or a good strategic step forward is being proposed.
Chris Buijs: They are also not investing DNS, right? One of the things to add to that. because I worked with lots of the bigger, the top 500 enterprise in the world. Not to pat myself on the shoulder, but I did. And what you’re seeing is that the DNS team, for a big bank worldwide is maybe three people, you know, so the investment in that kind of department is so low that it disappears from the charge, right? So, and with that, the seriousness or the importance as well, because it’s not costing anything, you know, compared to a security team, for example, it’s cost hundreds of millions in larger organizations. So I think it’s also the voice they don’t have because of that or the politics around that is, you know, when it goes down it’s always like the DNS guys all said, “we told you so.” always, always. and nobody listens because there are three nerds in a 100,000 people company that is making sure everything works. I don’t know what it is exactly, I think it’s knowledge on the decision-making level. The DNS guys are not equipped to explain how DNS works and how important it is in the architecture, so we can help them with that. But it’s, you know, a lot of work. But it’s also money, you know. How much do you need? Yeah. 10,000, 20,000. Oh. But, can we not use this DNS thing from Microsoft or whatever? So they’re battling, constantly battling and we need to help those guys a little bit more, which I’ve been doing for the past 25 years. It helps a little bit, but we need to do it absolutely more.
David Redekop: Right. Absolutely. Is there any particular strategy that you find that has worked? Because when you focus in areas that you’ve also written about, which is about moving towards automation, and the moment you have good quality of automation, you’ve got this human dividend, you’ve got a return of people’s expertise that are, that’s basically return in the form of availability of, you know, time and tasks. How do you convert that availability now to a defensive posture?
Chris Buijs: Well, it’s what you guys do with the Zero Trust, right? You turn it around. So you only trust what you can trust. but what I’m seeing is two things that goes a little against that. You now have application builders in the enterprise, for example. They built an application, they push a button, and it runs on the network and it is proficient. DNS, DHCP, the whole thing included. Security zones and whatnot. They actually don’t think about it because it’s the press of a button. So it’s not on their minds to build or architect an application that takes into account some stuff so it works even better or in conjunction with the security policies and all this kind of stuff instead of just template and you’ll be fine and we will see it in the audit. But the performance could be bad or even could be leaking or some security implications because of it because they don’t have it on their mind because they are just flushing out code, right? And what you see there is that having a process automated or not, it doesn’t really matter that thinks about the stuff where all these geniuses are together and think about it instead of different departments that come up with their own template. You know, you run three templates: a security template, the DNS template, and a provisioning template and you’ll be fine. And the conjunction of these three is far-fetched gap. There’s gaps and stuff like that, I’m not saying everybody but in general, I would say this is true and it’s not helping companies to deploy stuff, right? And in the worst case it comes with security implications. So having alignment, know what your company network is because this is the other problem that I was pointing out is that nobody knows what they’reยธ running. And #1 rule for me for automation is you need to know what you’re running what I’m seeing, the companies that have visited have their s**t together, you know, or their stuff together. Sorry. Is, you know, they have experts that look at the behavior of what’s happening or how is the network utilized? What’s the behavior of the network and connect the dots, you know, between the data and what the company needs and what the end users want. Because technical depth exists for a reason, for example, shadow IT exists for a reason because people are not happy with the facilities of the network, for example because it’s too slow. I use at home something better. I bring my iPad to work, you know, whatever. So you need to connect those dots, you said, “okay, how can we still have a high grade of usability? How can we influence behavior?” Because it could be simple as giving a training, you know, I don’t want to go down that route because we have training for everything nowadays, but it is important. So education, I would say, knowledge build up is number one in my book. If you don’t know how your network operates or you cannot measure it, you know, spend time on this to get it because otherwise it’s right there’s no point.
David Redekop: Yeah, there has to be an element of curiosity, right?
Chris Buijs: Yeah. You need to like it.
David Redekop: Yes, there has to be an unsatiating kind of hunger for the next, right? For doing things better for just a non-stop pursuit. It isn’t a target that you reach, it is an attitudinal positioning of always continuing to explore the next level. And what’s interesting I find is that when you identify those people, do you actually end up being, or when you identify those people, that’s when you actually see the next level of innovation kind of come to light or the need for the next level of innovation come to light. So, I’m always excited to see people that have demonstrated over a period of time that non-stop hunger for better understanding that can then immediately be applied for a client benefit somewhere.
Chris Buijs: Yeah. And connect those dots, what does it mean for the business, right? Because I see a lot of things introduced on the network where you can have this, it’s a very famous word in English. It’s, “why?” So it’s like, you know, “why did you do that?” You know, and they go, like, “oh, it’s good for the business.” Why it’s good for the business and, you know, the “5 Whys.” I love this, I love. This is my mantra. You ask deep enough and it’s, like, oh, I played golf with a buddy and he said that was good stuff. You know, not enough. So you see that lots of management decisions are made uninformed because they do not care. They just want to hear the story and move on and I think this is lack of curiosity, as you name it. But it’s a lack of interest, you know, if it’s your hobby, you know, DNS is my hobby, so I love going into big enterprises to see how they operate because yum, yum, yum, popcorn, right? So I love that because I, you know, if I don’t have that how would I know?
David Redekop: I set up a web server and a DNS server at a never before used public IPv4 address last night. And I thought, I’m very curious what is going to be my first hit on my interface. And believe it or not the very first, actually, I’m going to ask you. What do you think? What do you guess was the very first hit?
Chris Buijs: Query wise? Or yes DNS query wise. Um well I have a couple of these edge nodes running myself, right. So what I see when I start something new up, it’s lots of DDR, actually, somehow. But it’s, you know, you have this public list of how can I test the connection, connectivity.android.com. Google.com. There is this specific list, and I see this list. I see lots of domains and these are most of the domain scanners of suns, for example, or, you know, the census guys. These are the first guys I see almost every time.
David Redekop: Absolutely. We find the same thing. For outgoing traffic, the very first thing are the connectivity checks. So for endpoints, that’s trying to connect online, it’s iOS will always go to like captive.apple.com, for example. But when you stand something up on a public interface for others to discover and you’ve never served DNS there before, I was not surprised. But it’s like almost surprised when I saw the very first question was from for direct.shodan.io. Like, so that’s how those guys are staying super current because every once in a while I’ll stand up a device and online and wait, and see how long it takes Shodan to discover it. And it’s very, very fast. Census is like that too, that’s for sure. And Yeah. what’s your average time in experience before you get the first hit? You fire it up and then it takes, for me, it’s like five, six minutes. That’s it. I don’t even think it was more than a few minutes, and boom, there was the first query. Then, right after that, then TXT, bind.version, chaos Query started coming through because of course, DNS is one of those things that has to be public-facing for public resolvers. And because there are known vulnerabilities, of course, it would make sense that right away you’d be checking what version of a DNS server is running here, so.
Chris Buijs: The funny thing is I see more queries coming from Open Resolver Labs and all this kind of stuff to see if there’s open resolvers and make a report about it than actually bad actors. So I get more hits from scanners than the bad people. But, what’s interesting, for, an amplification attack, okay, you can home routers is a good target because if you have 100,000 zombies doing your job, that’s great. But why would I attack a home DNS server because I can steal 1,000 euros from your bank account? I dunno. You know, spend five euros to get ten, right? So I don’t know if that’s a good deal, but for larger organizations, of course. But amplification attacks, you know, the IoT stuff that is used as amplificator, and these are the worst devices on your network, the televisions and the barcode scanners and all this kind of crap.
David Redekop: Yeah. Every defender out there, by now, I would hope, would be blocking the two most abused amplification protocols, which are DNS UDP53 and NTP UDP123 to make sure that your network cannot reach out to those protocols to the internet period because they should be served internally. But it’s amazing how often those are still wide open. And partially it’s because so many IoT devices are still shipping with the only way they’ll function is if those IOT devices on startup can reach their own NTP server, right? So we’re dealing with an ecosystem that,
Chris Buijs: But I see a lot of NTP attacks as well. So I worked for this big bank where we did serious stuff on NTP. And banks or the financial sector is very interesting to attack with NTP because it’s very transactional, you know, it’s time-based. So we we had lots of GPS, not even NTP protocol, but GPS time attacks by little fans next to the data center. You know, sending fake GPS signals just to disrupt time because that was enough to disrupt transactions, you know, money transactions. And that was just to disrupt, you know, for all kinds of stuff. So they got the guys, you know, the secret police and stuff like this. I cannot share a lot about it, but it shows that, you know, if that’s already happening on that level, then NTP is like child’s play.
David Redekop: Absolutely. Yeah. I mean, the defenders have to cover all defenses, but the offenders just need to find whatever is the most exploitable weakness at any point in time. You know, with you being decades in the industry, you’ve probably seen a lot of next generation tools come and go. And if you look back at that journey, is there any one particular defensive principle that’s held for 20 years?
Chris Buijs: Oh, access lists, but that’s it.
David Redekop: Yes, I still rely on access list all the time. Like, I have public-facing services in a variety of sites, but I would never dare, you know, leave those services, you know, open to the world. No, no. I still use TSIG to, you know, give people a key that want to use my DNS server or, you know, in companies. And, the funny thing about TSIG is that even now with companies that making hundreds of billions a year, they don’t even support it. They don’t even have it, you know. And I go like, okay, you know, that’s again, the story. You know, what’s the positioning? You know, do they call it a safe DNS or DNS, you know. And they never called it a safe DNS, so what are we complaining about? Right? You get into what you get into, so there’s lots of storytelling and lots of knowledge and the lack of knowledge and the number of people not only in security and in events, but also on DNS and NTP and all these kind of low-level protocols that makes networks operatable. It’s getting less and less because they just, next, next, finish with your YAML file that just does everything for you to make your farting app work on the internet, right? So, yeah, that comes with lots of attack factors and lots of possibilities for security hackers and whatever to utilize in their attack as well. So we’re deploying so much containers and entities on the internet that are so unsafe and can be utilized and will be utilized, you know, if Census can scan my DNS server in five minutes, let alone, you know, people that are doing this for their job. So, yeah. But I’m kind of dualistic on it. I think it’s going in the right direction, but it’s also going in the wrong direction at the same time. Chris, this has been a real joyful experience for me to have a conversation with someone across the pond, as we say, that really has been in this space for as long as we have. And, I look really look forward to spending more time with you and figuring out where our paths cross further. But is there any one last piece of wisdom or advice that you’d like to leave the Defender’s audience with? Any last piece of wisdom or advice?
Chris Buijs: Just integrate and have DNS part of your security posture included and not do it separately or define it separately. You know, and you really need it as a whole architecture, as a full stack almost. That’s my advice, and if you need to do that by changing processes or organization, do it because the benefits are real.
David Redekop: So that is in complete agreement with my thinking is always defensive posture and DNS is your first and last line of defense. You can fit a lot of other details and integrate in the middle, but if it’s the first and the last line of defense, then you’re really making good intelligent use of defensive DNS.
Chris Buijs: Absolutely, cannot agree more.
David Redekop: Chris, it’s been so good to get to know you. Thank you for your time today and hope your weather turns out a little bit nicer than ours. It’s end of April here and yet it was below zero this morning, so.
Chris Buijs: Oh, no. We have like 10 degrees, so we’re, good.
David Redekop: Oh, you’re good. Alright, well I’m coming over very shortly. So I’ll see you soon. Take care. Bye for now, Chris. Bye.
Outro: The Defender’s log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights, join the conversation, and help us shape the future together. We will be back with more stories, strategies, and real world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it too. Thanks for listening, and we’ll see you on the next episode.
1 post - 1 participant
The post TDL 020 | Why DNS Is Your First Line of Cyber Defense | Chris Buijs appeared first on Security Boulevard.
Carly_Engelbrecht
Source: Security Boulevard
Source Link: https://securityboulevard.com/2026/04/tdl-020-why-dns-is-your-first-line-of-cyber-defense-chris-buijs/