Got GIAC? Free GIAC Cert Attempt Included with OnDemand 5 or 6 Day Training thru July 7


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

DNS is Changing. So What?

  • Tuesday, April 14, 2020 at 1:00 PM EDT (2020-04-14 17:00:00 UTC)
  • Johannes Ullrich


  • Cisco Systems Inc.

You can now attend the webcast using your mobile device!



If you give me one type of logs from your environment to figure out what is happening, I would always go for DNS logs. Everything that happens on your network leaves a mark in DNS. Or at least that's how it used to work. More recently, efforts to protect the privacy of DNS with DNS over TLS and DNS over HTTPS have promised to make it more difficult to figure out what DNS queries a user is sending. In addition, DNS continues to be abused for denial of service attacks, and existing security extensions like DNSSEC have done little to prevent this. In some cases, DNSSEC has made the problem worse. Additional extensions to DNS, like DNS cookies, are now being used to help out with some of these problems. But wait! There is more! DNS spoofing is still an underappreciated problem, so you may want to hang on tot he DNSEC implementation plan that you are planning to execute on for the last few years. In this talk, we will meander through many of these new and upcoming DNS features. We will look at packets! We (better!) have fun doing so! And in the spirit of our intrusion detection in depth class we will leave no bit unturned to figure out how all of this will affect our network monitoring.

Speaker Bio

Johannes Ullrich

Johannes Ullrich, dean of research at the SANS Technology Institute, is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. His research interests include IPv6, network traffic analysis and secure software development. In 2004, Network World named Johannes one of the 50 most powerful people in the networking industry, and SC Magazine named him one of the top five influential IT security thinkers for 2005. Prior to working for SANS, Johannes served as a lead support engineer for a web development company and as a research physicist.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.