If you give me one type of logs from your environment to figure out what is happening, I would always go for DNS logs. Everything that happens on your network leaves a mark in DNS. Or at least that's how it used to work. More recently, efforts to protect the privacy of DNS with DNS over TLS and DNS over HTTPS have promised to make it more difficult to figure out what DNS queries a user is sending. In addition, DNS continues to be abused for denial of service attacks, and existing security extensions like DNSSEC have done little to prevent this. In some cases, DNSSEC has made the problem worse. Additional extensions to DNS, like DNS cookies, are now being used to help out with some of these problems. But wait! There is more! DNS spoofing is still an underappreciated problem, so you may want to hang on tot he DNSEC implementation plan that you are planning to execute on for the last few years. In this talk, we will meander through many of these new and upcoming DNS features. We will look at packets! We (better!) have fun doing so! And in the spirit of our intrusion detection in depth class we will leave no bit unturned to figure out how all of this will affect our network monitoring.