1 00:00:06,320 --> 00:00:11,499 [Music] 2 00:00:15,679 --> 00:00:20,800 hi everybody we're back uh so next talk 3 00:00:18,800 --> 00:00:23,520 is karen jacobson talking about avoiding 4 00:00:20,800 --> 00:00:23,520 dns pain 5 00:00:24,000 --> 00:00:29,359 hi everyone and welcome to avoiding dns 6 00:00:26,160 --> 00:00:31,359 pain with me karen jacobson 7 00:00:29,359 --> 00:00:32,800 before i start the presentation i'd like 8 00:00:31,359 --> 00:00:34,079 to take a moment to acknowledge the 9 00:00:32,800 --> 00:00:36,079 traditional owners of the country 10 00:00:34,079 --> 00:00:38,399 throughout australia and recognize their 11 00:00:36,079 --> 00:00:40,399 continuing connection to land waters and 12 00:00:38,399 --> 00:00:44,160 culture i pay my respects to their 13 00:00:40,399 --> 00:00:45,600 elders past present and emerging 14 00:00:44,160 --> 00:00:47,520 so as i said earlier my name is karen 15 00:00:45,600 --> 00:00:49,039 jacobson i recently joined focus 16 00:00:47,520 --> 00:00:51,039 software as their head of business 17 00:00:49,039 --> 00:00:53,199 systems i'm leading a team that's 18 00:00:51,039 --> 00:00:54,719 supporting our internal i.t systems our 19 00:00:53,199 --> 00:00:56,399 infrastructure and a lot of our business 20 00:00:54,719 --> 00:00:58,480 processes and 21 00:00:56,399 --> 00:01:00,800 working through that to help drive the 22 00:00:58,480 --> 00:01:02,879 business to further growth 23 00:01:00,800 --> 00:01:04,400 i've been a microsoft mvp for the last 24 00:01:02,879 --> 00:01:06,799 five years and i'm also now a git 25 00:01:04,400 --> 00:01:10,479 cracker ambassador but enough about me 26 00:01:06,799 --> 00:01:10,479 let's start talking about dns 27 00:01:10,880 --> 00:01:15,159 so it's my firm belief that dns is one 28 00:01:13,040 --> 00:01:17,759 of these systems that's really 29 00:01:15,159 --> 00:01:20,799 under-appreciated and it runs 30 00:01:17,759 --> 00:01:23,119 uh and powers all of our networks and 31 00:01:20,799 --> 00:01:25,840 our you know the internet as we know it 32 00:01:23,119 --> 00:01:28,000 well it's under-appreciated until it 33 00:01:25,840 --> 00:01:30,240 becomes unavailable and that's when we 34 00:01:28,000 --> 00:01:32,320 find ourselves not just as 35 00:01:30,240 --> 00:01:35,560 individuals and organizations but 36 00:01:32,320 --> 00:01:38,640 globally in a world of pain 37 00:01:35,560 --> 00:01:42,320 2021 last year was actually pretty 38 00:01:38,640 --> 00:01:45,200 significant in terms of dns outages 39 00:01:42,320 --> 00:01:47,280 there was pretty much every major player 40 00:01:45,200 --> 00:01:49,680 every cloud provider was impacted at 41 00:01:47,280 --> 00:01:50,720 some point in time by a dns related 42 00:01:49,680 --> 00:01:53,280 change 43 00:01:50,720 --> 00:01:56,079 or issue 44 00:01:53,280 --> 00:01:58,240 in april microsoft and azure and a lot 45 00:01:56,079 --> 00:02:00,399 of dependent services and customers were 46 00:01:58,240 --> 00:02:01,920 impacted by a dns outage that was caused 47 00:02:00,399 --> 00:02:04,880 by a coding issue 48 00:02:01,920 --> 00:02:07,600 inside azure's dns services 49 00:02:04,880 --> 00:02:12,319 in july customers of akamai 50 00:02:07,600 --> 00:02:14,239 including oracle cloud ups fedex steam 51 00:02:12,319 --> 00:02:16,879 lastpass and sony playstation were 52 00:02:14,239 --> 00:02:18,959 impacted by an outage in akamai's edge 53 00:02:16,879 --> 00:02:21,599 dns service 54 00:02:18,959 --> 00:02:23,200 september saw an outage in with slack 55 00:02:21,599 --> 00:02:24,400 and their dns 56 00:02:23,200 --> 00:02:26,480 services 57 00:02:24,400 --> 00:02:28,560 but these were all overshadowed by what 58 00:02:26,480 --> 00:02:31,040 was really an internet meltdown that was 59 00:02:28,560 --> 00:02:33,360 when facebook instagram messenger and 60 00:02:31,040 --> 00:02:34,640 whatsapp went down for over six hours in 61 00:02:33,360 --> 00:02:37,280 october 62 00:02:34,640 --> 00:02:39,680 this outage wasn't actually caused by 63 00:02:37,280 --> 00:02:42,239 dns or dns change or server issue 64 00:02:39,680 --> 00:02:44,319 directly but networking issues that made 65 00:02:42,239 --> 00:02:46,400 those services unavailable 66 00:02:44,319 --> 00:02:50,560 but once again that helps highlight how 67 00:02:46,400 --> 00:02:53,360 a dns resolution issue can quickly start 68 00:02:50,560 --> 00:02:55,200 to you know cause absolute chaos 69 00:02:53,360 --> 00:02:57,840 um you know the estimate is that mark 70 00:02:55,200 --> 00:02:59,280 zuckerberg lost you know millions of 71 00:02:57,840 --> 00:03:00,640 dollars and it's hundreds of millions of 72 00:02:59,280 --> 00:03:02,879 dollars as 73 00:03:00,640 --> 00:03:05,519 meta's stock market value just dropped 74 00:03:02,879 --> 00:03:07,120 over that period of time 75 00:03:05,519 --> 00:03:10,159 and of course you know not to be left 76 00:03:07,120 --> 00:03:12,879 out of the club aws had a dns related 77 00:03:10,159 --> 00:03:14,159 outage as well in december 78 00:03:12,879 --> 00:03:16,000 this one 79 00:03:14,159 --> 00:03:17,519 actually had a lot of downstream impact 80 00:03:16,000 --> 00:03:20,000 there was a lot of other i.t service 81 00:03:17,519 --> 00:03:23,280 providers and organizations 82 00:03:20,000 --> 00:03:26,080 um that rely on aws that had had outages 83 00:03:23,280 --> 00:03:28,000 as well caused by this issue 84 00:03:26,080 --> 00:03:29,760 and all of this keeps building up to 85 00:03:28,000 --> 00:03:31,280 this really big challenge that 86 00:03:29,760 --> 00:03:32,879 organizations are starting to face 87 00:03:31,280 --> 00:03:35,120 around ensuring that 88 00:03:32,879 --> 00:03:38,239 you know websites and web applications 89 00:03:35,120 --> 00:03:40,480 are still resolvable in the event of 90 00:03:38,239 --> 00:03:42,000 issues 91 00:03:40,480 --> 00:03:44,159 but there's also been a lot of dna 92 00:03:42,000 --> 00:03:45,680 security concerns as well it's not just 93 00:03:44,159 --> 00:03:47,280 outages we need to think about when we 94 00:03:45,680 --> 00:03:49,360 look at dns 95 00:03:47,280 --> 00:03:51,440 attacks against dns have been on the 96 00:03:49,360 --> 00:03:53,200 increase year on year 97 00:03:51,440 --> 00:03:55,760 organizations have been you know 98 00:03:53,200 --> 00:03:57,680 repeatedly warned to be on the lookout 99 00:03:55,760 --> 00:04:00,400 for attacks against dns infrastructure 100 00:03:57,680 --> 00:04:01,680 over these past three years 101 00:04:00,400 --> 00:04:03,280 three years ago 102 00:04:01,680 --> 00:04:05,360 cesar the american 103 00:04:03,280 --> 00:04:08,239 government security agency they released 104 00:04:05,360 --> 00:04:10,319 their very first emergency directive and 105 00:04:08,239 --> 00:04:12,879 that was actually warning organizations 106 00:04:10,319 --> 00:04:15,040 and government agencies to take steps to 107 00:04:12,879 --> 00:04:16,320 prevent attacks against critical dns 108 00:04:15,040 --> 00:04:18,079 infrastructure 109 00:04:16,320 --> 00:04:21,040 that warning has 110 00:04:18,079 --> 00:04:22,960 in a way fallen on deaf ears mostly 111 00:04:21,040 --> 00:04:25,040 security threats to dns come in a couple 112 00:04:22,960 --> 00:04:26,080 of different forms the most common still 113 00:04:25,040 --> 00:04:28,240 being 114 00:04:26,080 --> 00:04:30,720 you know a tax fire compromising dns 115 00:04:28,240 --> 00:04:32,479 entries but the other one that we're 116 00:04:30,720 --> 00:04:35,199 starting to see a lot more of is what's 117 00:04:32,479 --> 00:04:37,759 called dangling dns entries 118 00:04:35,199 --> 00:04:39,280 so let's take this situation 119 00:04:37,759 --> 00:04:42,080 we're going to provision a web app on 120 00:04:39,280 --> 00:04:45,080 azure and it's got the fqdn of 121 00:04:42,080 --> 00:04:45,080 app.contogreatdev001 122 00:04:45,680 --> 00:04:51,280 dot azurewebsites.net we're going to 123 00:04:48,160 --> 00:04:54,720 assign greatapp.contoso.com 124 00:04:51,280 --> 00:04:56,560 to route traffic to that azure resource 125 00:04:54,720 --> 00:04:58,639 now after a while we decide we don't 126 00:04:56,560 --> 00:05:00,639 need that application anymore somebody's 127 00:04:58,639 --> 00:05:03,199 gone into the azure dns 128 00:05:00,639 --> 00:05:05,600 azure portal and they've deleted that 129 00:05:03,199 --> 00:05:08,160 web application 130 00:05:05,600 --> 00:05:10,960 at this point we've still got that cname 131 00:05:08,160 --> 00:05:13,360 record that's pointing uh so we've got 132 00:05:10,960 --> 00:05:16,919 the cnn record greatapp.contoso.com 133 00:05:13,360 --> 00:05:16,919 pointing to appcontogreatdev001 134 00:05:17,919 --> 00:05:20,560 but the 135 00:05:18,800 --> 00:05:21,520 underlying application isn't there 136 00:05:20,560 --> 00:05:25,199 anymore 137 00:05:21,520 --> 00:05:27,600 and this is a dangling dns record this 138 00:05:25,199 --> 00:05:30,080 record is now vulnerable to being taken 139 00:05:27,600 --> 00:05:31,919 over by some other resource on azure 140 00:05:30,080 --> 00:05:34,000 some other subscription it doesn't even 141 00:05:31,919 --> 00:05:35,600 have to be the same subscription 142 00:05:34,000 --> 00:05:36,400 could provision 143 00:05:35,600 --> 00:05:38,560 a 144 00:05:36,400 --> 00:05:40,880 a web service and start to get traffic 145 00:05:38,560 --> 00:05:42,400 routed to them and that's what a lot of 146 00:05:40,880 --> 00:05:44,320 threat actors are now looking for is 147 00:05:42,400 --> 00:05:47,840 that they're scanning through dns site 148 00:05:44,320 --> 00:05:50,720 zones and looking for these entries 149 00:05:47,840 --> 00:05:52,880 and so let's just say in this example 150 00:05:50,720 --> 00:05:55,280 some malicious you know actor some 151 00:05:52,880 --> 00:05:58,560 threat actor discovers this entry they 152 00:05:55,280 --> 00:06:02,080 go into azure they recreate app dash 153 00:05:58,560 --> 00:06:03,120 contour great dash dev zero zero one 154 00:06:02,080 --> 00:06:04,759 and now 155 00:06:03,120 --> 00:06:07,280 any traffic that's going to grade 156 00:06:04,759 --> 00:06:10,560 up.contoso.com is now landing on a 157 00:06:07,280 --> 00:06:10,560 website they control 158 00:06:11,120 --> 00:06:16,479 these dangling dns entries pose a pretty 159 00:06:13,680 --> 00:06:18,639 significant risk threat actors can take 160 00:06:16,479 --> 00:06:20,479 over this over a dns name and they can 161 00:06:18,639 --> 00:06:22,000 host a malicious website or a malicious 162 00:06:20,479 --> 00:06:24,560 web service 163 00:06:22,000 --> 00:06:26,560 using your organization's brand 164 00:06:24,560 --> 00:06:29,360 and it's really important that when we 165 00:06:26,560 --> 00:06:31,680 start talking about domain names 166 00:06:29,360 --> 00:06:34,560 in a business sense that they are part 167 00:06:31,680 --> 00:06:37,360 of an organization's brand misuse of a 168 00:06:34,560 --> 00:06:39,520 domain is misuse of an organizational 169 00:06:37,360 --> 00:06:41,120 organization's brand and that's linked 170 00:06:39,520 --> 00:06:43,919 to the value of that brand and that 171 00:06:41,120 --> 00:06:43,919 organization 172 00:06:44,240 --> 00:06:49,120 with a malicious site on your on on a 173 00:06:46,960 --> 00:06:51,039 domain like this they could launch 174 00:06:49,120 --> 00:06:53,360 fitting attacks against your customers 175 00:06:51,039 --> 00:06:56,080 cookie harvesting attacks cross-site 176 00:06:53,360 --> 00:06:57,759 scripting cause bypass attacks 177 00:06:56,080 --> 00:06:59,919 a lot of these things could really 178 00:06:57,759 --> 00:07:01,360 significantly damage your brand's 179 00:06:59,919 --> 00:07:03,280 reputation 180 00:07:01,360 --> 00:07:05,919 and big and small companies over the 181 00:07:03,280 --> 00:07:06,960 internet have all been impacted by these 182 00:07:05,919 --> 00:07:09,280 attacks 183 00:07:06,960 --> 00:07:11,680 um several years ago microsoft actually 184 00:07:09,280 --> 00:07:13,759 had a dangling 185 00:07:11,680 --> 00:07:16,000 dot microsoft.com 186 00:07:13,759 --> 00:07:17,680 domain and that was a you know a pretty 187 00:07:16,000 --> 00:07:19,680 pretty significant issue that they had 188 00:07:17,680 --> 00:07:21,520 that they had and others have seen it as 189 00:07:19,680 --> 00:07:23,280 well 190 00:07:21,520 --> 00:07:24,160 it's also worth pointing out it's not 191 00:07:23,280 --> 00:07:26,240 just 192 00:07:24,160 --> 00:07:28,000 web applications it's not just c names 193 00:07:26,240 --> 00:07:30,400 it can be vulnerable 194 00:07:28,000 --> 00:07:32,160 there's actually a lot of 195 00:07:30,400 --> 00:07:34,160 domains out there that have got dangling 196 00:07:32,160 --> 00:07:35,840 mx records where you could actually go 197 00:07:34,160 --> 00:07:36,720 and provision 198 00:07:35,840 --> 00:07:38,639 uh 199 00:07:36,720 --> 00:07:40,400 you know services on some other domain 200 00:07:38,639 --> 00:07:42,960 and suddenly have mail flowing through 201 00:07:40,400 --> 00:07:44,080 from other domains so it's not just the 202 00:07:42,960 --> 00:07:45,120 sea names you need to be worried about 203 00:07:44,080 --> 00:07:48,240 you need to look at some of the other 204 00:07:45,120 --> 00:07:48,240 resource types as well 205 00:07:49,199 --> 00:07:54,319 another big challenge in organizations 206 00:07:51,199 --> 00:07:57,120 is the speed at which dns changes happen 207 00:07:54,319 --> 00:07:59,759 now this image here i usually have in 208 00:07:57,120 --> 00:08:01,360 talks about devops and devsecops where i 209 00:07:59,759 --> 00:08:04,080 talk about the relationship between 210 00:08:01,360 --> 00:08:06,080 development teams and operations teams 211 00:08:04,080 --> 00:08:08,240 um 212 00:08:06,080 --> 00:08:10,800 dns is is one of these things that's 213 00:08:08,240 --> 00:08:12,639 often really overlooked where we have a 214 00:08:10,800 --> 00:08:14,479 you know an agile or a devops 215 00:08:12,639 --> 00:08:16,560 transformation 216 00:08:14,479 --> 00:08:19,039 so we end up with environments where 217 00:08:16,560 --> 00:08:21,280 there's often strict or very rigid 218 00:08:19,039 --> 00:08:23,840 change control processes especially for 219 00:08:21,280 --> 00:08:26,400 dns changes they're rarely seen as like 220 00:08:23,840 --> 00:08:28,400 a standard pre-approved change 221 00:08:26,400 --> 00:08:29,199 and that's partially because we're sort 222 00:08:28,400 --> 00:08:31,199 of 223 00:08:29,199 --> 00:08:34,479 subconsciously aware that these things 224 00:08:31,199 --> 00:08:36,800 are sensitive but at the same time 225 00:08:34,479 --> 00:08:39,039 not really thinking them through 226 00:08:36,800 --> 00:08:42,320 and what's the result of all this change 227 00:08:39,039 --> 00:08:44,720 control making a simple dns change can 228 00:08:42,320 --> 00:08:46,160 often take weeks in some environments 229 00:08:44,720 --> 00:08:48,320 i've seen environments where change 230 00:08:46,160 --> 00:08:49,839 control for dns change can be several 231 00:08:48,320 --> 00:08:52,560 months to make an 232 00:08:49,839 --> 00:08:54,640 update to an entry and that's just not 233 00:08:52,560 --> 00:08:57,440 feasible as organizations continue to 234 00:08:54,640 --> 00:08:57,440 grow and develop 235 00:08:58,160 --> 00:09:02,160 so when i joined an organization and i i 236 00:09:00,399 --> 00:09:04,240 joined focus in march 237 00:09:02,160 --> 00:09:06,000 and april sorry april uh 238 00:09:04,240 --> 00:09:07,360 last year one of the things that i 239 00:09:06,000 --> 00:09:09,839 really find interesting to do is to 240 00:09:07,360 --> 00:09:12,240 start looking at dns zones and start to 241 00:09:09,839 --> 00:09:13,519 play a game i called what's this dns 242 00:09:12,240 --> 00:09:15,519 entry 243 00:09:13,519 --> 00:09:17,920 you might have 50 or 100 or maybe a 244 00:09:15,519 --> 00:09:19,360 thousand dns entries in a public facing 245 00:09:17,920 --> 00:09:21,600 dns zone 246 00:09:19,360 --> 00:09:24,640 but do you have clear documentation and 247 00:09:21,600 --> 00:09:26,560 traceability about what each one is for 248 00:09:24,640 --> 00:09:28,959 who requested it when did they request 249 00:09:26,560 --> 00:09:31,360 it why did they request it 250 00:09:28,959 --> 00:09:34,560 are you regularly as an organization 251 00:09:31,360 --> 00:09:36,320 reviewing all of your dns entries 252 00:09:34,560 --> 00:09:37,760 and seeing if they're still accurate how 253 00:09:36,320 --> 00:09:40,080 would you even start to work out if 254 00:09:37,760 --> 00:09:42,959 maybe somebody's created a dns entry 255 00:09:40,080 --> 00:09:45,600 maliciously in one of your zones 256 00:09:42,959 --> 00:09:47,440 and often once again the fallback is 257 00:09:45,600 --> 00:09:48,720 change control 258 00:09:47,440 --> 00:09:50,320 let's just go back to our change 259 00:09:48,720 --> 00:09:52,720 management system and we can have a look 260 00:09:50,320 --> 00:09:54,800 at you know the requests and you know 261 00:09:52,720 --> 00:09:58,000 see who's changed what 262 00:09:54,800 --> 00:10:00,320 but as we know from the facebook outage 263 00:09:58,000 --> 00:10:01,760 the teams trying to fix facebook's dns 264 00:10:00,320 --> 00:10:03,600 couldn't get to their management 265 00:10:01,760 --> 00:10:06,320 consoles and their management systems 266 00:10:03,600 --> 00:10:07,839 because dns was down 267 00:10:06,320 --> 00:10:09,680 and so there's got to be some better 268 00:10:07,839 --> 00:10:11,040 ways of managing these things so we 269 00:10:09,680 --> 00:10:14,880 don't end up with some of these 270 00:10:11,040 --> 00:10:14,880 challenges during an incident 271 00:10:14,959 --> 00:10:19,279 and thankfully there is a better way 272 00:10:17,600 --> 00:10:20,800 and the solution is to start looking at 273 00:10:19,279 --> 00:10:23,120 these problems 274 00:10:20,800 --> 00:10:26,640 as infrastructure as code or as i like 275 00:10:23,120 --> 00:10:29,200 to call it dns's code 276 00:10:26,640 --> 00:10:31,040 today i want to talk about dns control 277 00:10:29,200 --> 00:10:33,200 and this is a tool that was developed 278 00:10:31,040 --> 00:10:35,920 and is maintained 279 00:10:33,200 --> 00:10:37,680 by the stack exchange team and from a 280 00:10:35,920 --> 00:10:40,000 lot of contributions from the community 281 00:10:37,680 --> 00:10:43,120 at large 282 00:10:40,000 --> 00:10:46,000 dns control is heavily influenced by the 283 00:10:43,120 --> 00:10:47,120 experience of the stack exchange team in 284 00:10:46,000 --> 00:10:49,920 managing 285 00:10:47,120 --> 00:10:52,480 websites at a large scale there's a lot 286 00:10:49,920 --> 00:10:54,000 of things a lot of changes and features 287 00:10:52,480 --> 00:10:58,640 that are there based on their 288 00:10:54,000 --> 00:11:00,800 experiences with managing dns outages 289 00:10:58,640 --> 00:11:03,519 so what is dns control 290 00:11:00,800 --> 00:11:05,600 it allows us to use a javascript-based 291 00:11:03,519 --> 00:11:08,000 dsl 292 00:11:05,600 --> 00:11:10,240 don't worry if you don't know javascript 293 00:11:08,000 --> 00:11:12,480 i don't and i haven't had any problems 294 00:11:10,240 --> 00:11:15,920 but it allows us to use this javascript 295 00:11:12,480 --> 00:11:17,730 dsl to define what entries should be in 296 00:11:15,920 --> 00:11:19,120 a dns zone 297 00:11:17,730 --> 00:11:21,200 [Music] 298 00:11:19,120 --> 00:11:23,920 and then from there it will actually 299 00:11:21,200 --> 00:11:26,560 look at a dns zone in your provider and 300 00:11:23,920 --> 00:11:28,160 say okay i need to create these entries 301 00:11:26,560 --> 00:11:29,600 i need to delete these entries because 302 00:11:28,160 --> 00:11:33,200 they shouldn't be there anymore and i 303 00:11:29,600 --> 00:11:33,200 need to modify these entries 304 00:11:33,440 --> 00:11:37,680 the syntax is really simple to look at 305 00:11:36,000 --> 00:11:38,480 as you can see up on the screen right 306 00:11:37,680 --> 00:11:40,240 now 307 00:11:38,480 --> 00:11:42,079 you can see that i've got a domain zone 308 00:11:40,240 --> 00:11:44,079 called planetpowershell.com 309 00:11:42,079 --> 00:11:45,200 that's a community project that i 310 00:11:44,079 --> 00:11:47,200 maintain 311 00:11:45,200 --> 00:11:49,680 we can see in this dns zone that there's 312 00:11:47,200 --> 00:11:53,200 some spf records dmarc 313 00:11:49,680 --> 00:11:54,880 some office 365 related records we can 314 00:11:53,200 --> 00:11:56,560 also see there's a production website 315 00:11:54,880 --> 00:11:59,440 and development website that are hosted 316 00:11:56,560 --> 00:12:01,440 on a records as well 317 00:11:59,440 --> 00:12:03,600 and even without many comments it's 318 00:12:01,440 --> 00:12:06,800 pretty easy to just quickly look at this 319 00:12:03,600 --> 00:12:08,720 and know what's there in the in the zone 320 00:12:06,800 --> 00:12:10,079 but we can also add comments to help 321 00:12:08,720 --> 00:12:12,399 explain 322 00:12:10,079 --> 00:12:14,000 the who what when how and why of some of 323 00:12:12,399 --> 00:12:16,240 these entries 324 00:12:14,000 --> 00:12:18,480 and that really starts to help explain 325 00:12:16,240 --> 00:12:18,480 and 326 00:12:18,560 --> 00:12:23,040 really communicate why things have been 327 00:12:21,440 --> 00:12:25,279 done that way and that's really 328 00:12:23,040 --> 00:12:28,079 important 329 00:12:25,279 --> 00:12:30,480 so say you're going to use dns control 330 00:12:28,079 --> 00:12:32,959 to manage your zone what would sort of a 331 00:12:30,480 --> 00:12:34,639 standard you know let's talk about how 332 00:12:32,959 --> 00:12:38,680 making a change to your zone might work 333 00:12:34,639 --> 00:12:38,680 what sort of a standard approach 334 00:12:39,680 --> 00:12:43,880 so in this example i want to add a text 335 00:12:41,839 --> 00:12:45,279 record 336 00:12:43,880 --> 00:12:48,160 hello.planetpowershell.com with the 337 00:12:45,279 --> 00:12:51,200 content hello linuxconfig 338 00:12:48,160 --> 00:12:54,959 so i'm going to open up my dns control 339 00:12:51,200 --> 00:12:56,480 zone file in my favorite editor yours 340 00:12:54,959 --> 00:12:58,800 might be something different in my case 341 00:12:56,480 --> 00:13:01,200 it's vs code and i'm going to add in 342 00:12:58,800 --> 00:13:03,760 this txt row at the bottom here 343 00:13:01,200 --> 00:13:07,760 and it's really simple it's just txt 344 00:13:03,760 --> 00:13:09,519 what that name is and then the content 345 00:13:07,760 --> 00:13:11,120 i'm going to commit those changes i'm 346 00:13:09,519 --> 00:13:12,959 going to create a 347 00:13:11,120 --> 00:13:14,399 i'm going to push those to a branch on 348 00:13:12,959 --> 00:13:16,160 github i'm going to create a pull 349 00:13:14,399 --> 00:13:18,560 request 350 00:13:16,160 --> 00:13:20,560 i'm here using git kraken and they have 351 00:13:18,560 --> 00:13:23,440 a built-in pr 352 00:13:20,560 --> 00:13:24,720 request feature so from within side the 353 00:13:23,440 --> 00:13:26,639 tool you can just go ahead and create 354 00:13:24,720 --> 00:13:28,399 your pr's which you know i like because 355 00:13:26,639 --> 00:13:29,440 it saves a bit of time 356 00:13:28,399 --> 00:13:31,279 but 357 00:13:29,440 --> 00:13:32,959 we can start to see with the templates 358 00:13:31,279 --> 00:13:34,720 and stuff like that how the process 359 00:13:32,959 --> 00:13:37,920 starts to become a bit more clear in 360 00:13:34,720 --> 00:13:37,920 terms of change control 361 00:13:38,160 --> 00:13:43,600 so now we've created that that that uh 362 00:13:41,040 --> 00:13:45,600 that change request that pull request 363 00:13:43,600 --> 00:13:48,480 we need somebody to obviously go in and 364 00:13:45,600 --> 00:13:50,320 and review that and approve that and 365 00:13:48,480 --> 00:13:52,959 this is where when we combine something 366 00:13:50,320 --> 00:13:54,959 like dns control with github pull 367 00:13:52,959 --> 00:13:57,680 request templates we're starting to make 368 00:13:54,959 --> 00:14:00,160 our our lives as an infrastructure team 369 00:13:57,680 --> 00:14:01,920 and sysadmins even easier 370 00:14:00,160 --> 00:14:04,160 pull request templates they're really 371 00:14:01,920 --> 00:14:06,399 great because we can have a template 372 00:14:04,160 --> 00:14:08,240 that's got a checklist of what needs to 373 00:14:06,399 --> 00:14:11,120 happen to make sure 374 00:14:08,240 --> 00:14:13,120 that a change actually meets our 375 00:14:11,120 --> 00:14:15,920 internal requirements 376 00:14:13,120 --> 00:14:18,000 um in this case you know there's a check 377 00:14:15,920 --> 00:14:20,480 to confirm there's no dangling dns 378 00:14:18,000 --> 00:14:23,279 entries that spf doesn't go over the 10 379 00:14:20,480 --> 00:14:27,040 dns request limit 380 00:14:23,279 --> 00:14:29,360 and some other sort of checks as well 381 00:14:27,040 --> 00:14:31,279 if this was for an internal 382 00:14:29,360 --> 00:14:33,839 zone inside your organization you might 383 00:14:31,279 --> 00:14:35,040 want to have it with some 384 00:14:33,839 --> 00:14:37,360 you know 385 00:14:35,040 --> 00:14:39,519 steps around say maybe you know sending 386 00:14:37,360 --> 00:14:42,880 out a notification to users or impacted 387 00:14:39,519 --> 00:14:42,880 teams this change is happening 388 00:14:43,199 --> 00:14:48,079 we can also use dns control to provide 389 00:14:45,360 --> 00:14:49,440 automated checks dns control comes with 390 00:14:48,079 --> 00:14:52,560 two commands 391 00:14:49,440 --> 00:14:54,399 check which validates the syntax of your 392 00:14:52,560 --> 00:14:57,040 files and make sure that they are all 393 00:14:54,399 --> 00:14:58,880 correct and preview 394 00:14:57,040 --> 00:15:00,720 preview is actually going to go ahead 395 00:14:58,880 --> 00:15:03,519 and look at the zones as they are in 396 00:15:00,720 --> 00:15:05,600 your production environment and see 397 00:15:03,519 --> 00:15:07,040 what needs to be created what might need 398 00:15:05,600 --> 00:15:08,800 to be modified what might need to be 399 00:15:07,040 --> 00:15:10,560 deleted and it doesn't actually do it it 400 00:15:08,800 --> 00:15:13,040 just tells you this is what i would do 401 00:15:10,560 --> 00:15:14,880 if i was told to make the changes 402 00:15:13,040 --> 00:15:16,800 i find this really great because 403 00:15:14,880 --> 00:15:18,560 somebody can then propose a change and i 404 00:15:16,800 --> 00:15:20,079 can actually go and double check 405 00:15:18,560 --> 00:15:21,839 that what they're intending to do 406 00:15:20,079 --> 00:15:23,600 actually matches what's actually going 407 00:15:21,839 --> 00:15:25,360 to happen 408 00:15:23,600 --> 00:15:27,519 now once all of the checks are passed 409 00:15:25,360 --> 00:15:30,639 i've reviewed this change i can merge it 410 00:15:27,519 --> 00:15:30,639 into my main branch 411 00:15:30,720 --> 00:15:35,600 and so that's when our ci cd process can 412 00:15:33,440 --> 00:15:38,079 actually go ahead in this case i'm using 413 00:15:35,600 --> 00:15:39,440 azure devops and push those changes into 414 00:15:38,079 --> 00:15:41,680 production 415 00:15:39,440 --> 00:15:43,279 if i go and look in cloudflare which is 416 00:15:41,680 --> 00:15:45,519 the dns provider i'm using for this 417 00:15:43,279 --> 00:15:46,800 domain i can see that that entry has 418 00:15:45,519 --> 00:15:48,480 been created 419 00:15:46,800 --> 00:15:51,120 and then if i give it a bit of time for 420 00:15:48,480 --> 00:15:54,480 dns replication and caching 421 00:15:51,120 --> 00:15:57,759 i can see using mx toolboxes dns query 422 00:15:54,480 --> 00:16:00,240 tool that that record is now available 423 00:15:57,759 --> 00:16:02,560 for clients to resolve 424 00:16:00,240 --> 00:16:03,680 so we've gone through a very simple 425 00:16:02,560 --> 00:16:06,320 process 426 00:16:03,680 --> 00:16:08,399 from somebody proposing a change all the 427 00:16:06,320 --> 00:16:10,240 way through to 428 00:16:08,399 --> 00:16:11,759 that change being reviewed and then the 429 00:16:10,240 --> 00:16:13,920 change being made 430 00:16:11,759 --> 00:16:16,320 in a pretty pretty quick amount of time 431 00:16:13,920 --> 00:16:19,839 and a lot faster than most organizations 432 00:16:16,320 --> 00:16:21,440 would see a dns change being made 433 00:16:19,839 --> 00:16:23,120 but there's some other cool features 434 00:16:21,440 --> 00:16:25,360 about dns controller i want to talk 435 00:16:23,120 --> 00:16:25,360 about 436 00:16:25,600 --> 00:16:30,320 there's a lot of quality of life and 437 00:16:27,279 --> 00:16:32,560 security features in dns control 438 00:16:30,320 --> 00:16:34,079 there's the spf builder it's often 439 00:16:32,560 --> 00:16:37,440 called the spf optimizer in the 440 00:16:34,079 --> 00:16:39,680 documentation this allows us to not only 441 00:16:37,440 --> 00:16:42,240 sort of really cleanly define all the 442 00:16:39,680 --> 00:16:44,000 parts of our spf entry but it will also 443 00:16:42,240 --> 00:16:45,040 support what's called flattening of 444 00:16:44,000 --> 00:16:47,279 entries 445 00:16:45,040 --> 00:16:50,959 this will basically go in and actually 446 00:16:47,279 --> 00:16:54,160 as it goes to create the spf 447 00:16:50,959 --> 00:16:56,800 record it will remove some of the dns 448 00:16:54,160 --> 00:16:59,040 queries so that we can try and 449 00:16:56,800 --> 00:17:00,959 squeak through that 10 lookup limit for 450 00:16:59,040 --> 00:17:02,959 spf records 451 00:17:00,959 --> 00:17:05,039 in some cases i've seen it work really 452 00:17:02,959 --> 00:17:06,959 well and it's saved queries and helped 453 00:17:05,039 --> 00:17:10,559 companies stay under that limit other 454 00:17:06,959 --> 00:17:12,079 cases it hasn't worked quite so well 455 00:17:10,559 --> 00:17:14,240 it also has 456 00:17:12,079 --> 00:17:16,400 dns control also has 457 00:17:14,240 --> 00:17:18,799 functionality to help us build out dmacc 458 00:17:16,400 --> 00:17:21,679 policies in a way that's a lot easier to 459 00:17:18,799 --> 00:17:23,120 read and understand as well as our cia 460 00:17:21,679 --> 00:17:25,760 records as well 461 00:17:23,120 --> 00:17:27,760 the cia builder is a little bit new 462 00:17:25,760 --> 00:17:28,880 still a little bit experimental 463 00:17:27,760 --> 00:17:30,880 but 464 00:17:28,880 --> 00:17:32,880 once again it makes it so much easier to 465 00:17:30,880 --> 00:17:35,280 read and understand 466 00:17:32,880 --> 00:17:38,320 dns control also has a bunch of features 467 00:17:35,280 --> 00:17:41,760 around working with azure dns 468 00:17:38,320 --> 00:17:43,919 including alias records aws route 53 469 00:17:41,760 --> 00:17:45,360 alias records 470 00:17:43,919 --> 00:17:45,880 cloudflare 471 00:17:45,360 --> 00:17:47,120 um 472 00:17:45,880 --> 00:17:49,440 [Music] 473 00:17:47,120 --> 00:17:51,120 there's a lot of stuff in there as well 474 00:17:49,440 --> 00:17:53,200 from inside 475 00:17:51,120 --> 00:17:56,080 dns control you can turn 476 00:17:53,200 --> 00:17:58,480 the proxy of cloudflare on and off you 477 00:17:56,080 --> 00:18:00,640 can also create 478 00:17:58,480 --> 00:18:03,840 page rules from inside cloudflare so you 479 00:18:00,640 --> 00:18:05,520 can now start to use dns control for all 480 00:18:03,840 --> 00:18:08,080 of your sort of cloudflare management as 481 00:18:05,520 --> 00:18:10,160 well bring it all into one central spot 482 00:18:08,080 --> 00:18:12,000 have all that documentation that change 483 00:18:10,160 --> 00:18:15,320 control within one spot which is really 484 00:18:12,000 --> 00:18:15,320 really cool 485 00:18:18,000 --> 00:18:22,160 dns provider resilience and migration is 486 00:18:20,720 --> 00:18:24,960 probably 487 00:18:22,160 --> 00:18:30,559 the main reason that stack overflow 488 00:18:24,960 --> 00:18:30,559 created dns control to begin with um 489 00:18:30,960 --> 00:18:35,600 when we look at sort of 490 00:18:32,799 --> 00:18:38,240 what was behind dns control 491 00:18:35,600 --> 00:18:39,440 and the stack overflow development it 492 00:18:38,240 --> 00:18:42,240 was 493 00:18:39,440 --> 00:18:44,720 their experience of having an entire 494 00:18:42,240 --> 00:18:46,960 provider just becoming unavailable 495 00:18:44,720 --> 00:18:48,880 and needing to be able to quickly 496 00:18:46,960 --> 00:18:51,039 set up another provider and know that 497 00:18:48,880 --> 00:18:52,799 all of the entries were there and ready 498 00:18:51,039 --> 00:18:53,600 to go and that all of their systems 499 00:18:52,799 --> 00:18:54,799 would 500 00:18:53,600 --> 00:18:57,039 work 501 00:18:54,799 --> 00:18:59,760 and their experience before that was 502 00:18:57,039 --> 00:19:03,120 that they had one provider that was um 503 00:18:59,760 --> 00:19:05,200 a gui portal another that had an api and 504 00:19:03,120 --> 00:19:07,360 they were really sort of worried during 505 00:19:05,200 --> 00:19:08,640 this outage of well have we created 506 00:19:07,360 --> 00:19:11,440 everything 507 00:19:08,640 --> 00:19:12,559 all the records there and that's where 508 00:19:11,440 --> 00:19:15,200 um 509 00:19:12,559 --> 00:19:18,720 the provider resilience inside dns 510 00:19:15,200 --> 00:19:21,120 control really comes about 511 00:19:18,720 --> 00:19:22,840 so we've got three examples here 512 00:19:21,120 --> 00:19:26,320 the first example 513 00:19:22,840 --> 00:19:27,919 is example.com 514 00:19:26,320 --> 00:19:30,240 that will actually have eight 515 00:19:27,919 --> 00:19:34,240 authoritative ns records 516 00:19:30,240 --> 00:19:37,039 uh four from route 53 and four from uh 517 00:19:34,240 --> 00:19:39,280 gcp or google cloud 518 00:19:37,039 --> 00:19:40,160 and so in that case 519 00:19:39,280 --> 00:19:42,799 you know 520 00:19:40,160 --> 00:19:45,200 clients could go and resolve example.com 521 00:19:42,799 --> 00:19:46,799 using any of those eight authority of ns 522 00:19:45,200 --> 00:19:48,799 records 523 00:19:46,799 --> 00:19:52,000 in example two essentially what we're 524 00:19:48,799 --> 00:19:54,960 saying here is we want two 525 00:19:52,000 --> 00:19:56,559 ns records from route 53 and two from 526 00:19:54,960 --> 00:19:58,720 from google cloud we don't want the full 527 00:19:56,559 --> 00:20:00,960 four we want to balance it just across 528 00:19:58,720 --> 00:20:00,960 two 529 00:20:01,440 --> 00:20:06,080 in the third example example3.com 530 00:20:04,640 --> 00:20:08,480 essentially we're saying we want the 531 00:20:06,080 --> 00:20:10,240 authority of ns records to only be from 532 00:20:08,480 --> 00:20:12,400 route 53 533 00:20:10,240 --> 00:20:14,240 but when dns control goes to configure 534 00:20:12,400 --> 00:20:16,080 the zone and push that zone out it's 535 00:20:14,240 --> 00:20:16,880 still going to go and do all those tasks 536 00:20:16,080 --> 00:20:18,480 on 537 00:20:16,880 --> 00:20:19,520 gcp 538 00:20:18,480 --> 00:20:21,919 so 539 00:20:19,520 --> 00:20:24,960 that basically means that 540 00:20:21,919 --> 00:20:26,400 all of the records inside route 53 and 541 00:20:24,960 --> 00:20:29,440 google cloud 542 00:20:26,400 --> 00:20:30,720 should in theory all match up 543 00:20:29,440 --> 00:20:32,159 um 544 00:20:30,720 --> 00:20:35,200 now this is good if you want to just 545 00:20:32,159 --> 00:20:36,400 have a like a sort of a hot spare dns 546 00:20:35,200 --> 00:20:38,400 provider 547 00:20:36,400 --> 00:20:40,400 but one of the big things that i've used 548 00:20:38,400 --> 00:20:42,480 this in the past for and i know a lot of 549 00:20:40,400 --> 00:20:44,559 others that do is actually migrating 550 00:20:42,480 --> 00:20:46,559 from one provider to the other 551 00:20:44,559 --> 00:20:48,159 you know say you're an organization and 552 00:20:46,559 --> 00:20:50,640 you're moving everything from running on 553 00:20:48,159 --> 00:20:52,400 aws across to gcp 554 00:20:50,640 --> 00:20:54,240 then you know this is a really good 555 00:20:52,400 --> 00:20:57,200 approach that you could 556 00:20:54,240 --> 00:21:00,400 simply put the google cloud dns provider 557 00:20:57,200 --> 00:21:02,559 in don't make it authoritative 558 00:21:00,400 --> 00:21:05,520 run dns control have it set up all of 559 00:21:02,559 --> 00:21:08,159 those and then be able to take your time 560 00:21:05,520 --> 00:21:09,600 and review all of those entries before 561 00:21:08,159 --> 00:21:11,280 starting to make it the authority of 562 00:21:09,600 --> 00:21:13,039 provider 563 00:21:11,280 --> 00:21:14,960 and then you could slowly move load 564 00:21:13,039 --> 00:21:16,960 across to that if you wanted to as well 565 00:21:14,960 --> 00:21:19,360 that's the power behind a lot of some of 566 00:21:16,960 --> 00:21:19,360 this stuff 567 00:21:20,880 --> 00:21:26,000 migration is one of these ones that 568 00:21:24,480 --> 00:21:28,000 there's still more work happening in the 569 00:21:26,000 --> 00:21:30,320 background because obviously 570 00:21:28,000 --> 00:21:32,240 stack overflow team the stack exchange 571 00:21:30,320 --> 00:21:36,159 team are seeing more ways to improve 572 00:21:32,240 --> 00:21:36,159 that process through their own usage 573 00:21:36,960 --> 00:21:40,159 um 574 00:21:37,840 --> 00:21:41,760 before i finish up and open up some time 575 00:21:40,159 --> 00:21:44,400 for questions 576 00:21:41,760 --> 00:21:46,320 i've put together some links here that i 577 00:21:44,400 --> 00:21:50,400 think will help everybody sort of start 578 00:21:46,320 --> 00:21:52,640 on a dns code a dns controlled journey 579 00:21:50,400 --> 00:21:53,600 the first two are blog posts that i've 580 00:21:52,640 --> 00:21:56,080 written 581 00:21:53,600 --> 00:21:58,400 on how you can help protect an 582 00:21:56,080 --> 00:22:00,799 organization against 583 00:21:58,400 --> 00:22:03,200 some of the infrastructure dns 584 00:22:00,799 --> 00:22:05,200 infrastructure tampering attacks 585 00:22:03,200 --> 00:22:07,520 that are out there thinking about 586 00:22:05,200 --> 00:22:09,760 two-factor thinking about change control 587 00:22:07,520 --> 00:22:13,120 and security controls 588 00:22:09,760 --> 00:22:15,280 and the other is around dns squatting 589 00:22:13,120 --> 00:22:17,679 with a particular focus on azure app 590 00:22:15,280 --> 00:22:20,559 services 591 00:22:17,679 --> 00:22:22,880 my next entry is a pretty mammoth blog 592 00:22:20,559 --> 00:22:26,480 post that i put out a few years ago 593 00:22:22,880 --> 00:22:27,430 on setting up dns control having it 594 00:22:26,480 --> 00:22:28,799 hosted in 595 00:22:27,430 --> 00:22:29,919 [Music] 596 00:22:28,799 --> 00:22:32,640 github 597 00:22:29,919 --> 00:22:34,960 and using what was then vsts or now 598 00:22:32,640 --> 00:22:37,679 azure devops 599 00:22:34,960 --> 00:22:40,799 to basically have a full sort of 600 00:22:37,679 --> 00:22:42,640 you know ci cd process 601 00:22:40,799 --> 00:22:45,300 that's you know configuring entries 602 00:22:42,640 --> 00:22:47,360 inside cloudflare and then simple 603 00:22:45,300 --> 00:22:49,200 [Music] 604 00:22:47,360 --> 00:22:51,440 whilst a lot of that stuff in that the 605 00:22:49,200 --> 00:22:53,200 content of that post might not be 606 00:22:51,440 --> 00:22:54,960 applicable to you 607 00:22:53,200 --> 00:22:57,039 uh if you're sort of looking at setting 608 00:22:54,960 --> 00:22:59,120 it up it will give you a really good 609 00:22:57,039 --> 00:23:01,120 sort of 610 00:22:59,120 --> 00:23:02,960 idea and sort of point you in the right 611 00:23:01,120 --> 00:23:05,520 direction for starting to come up with 612 00:23:02,960 --> 00:23:09,039 your own cicd process fit that meets 613 00:23:05,520 --> 00:23:11,840 your organization's needs 614 00:23:09,039 --> 00:23:13,840 my next link there is what i call my 615 00:23:11,840 --> 00:23:15,200 it's a dns accelerator package that i've 616 00:23:13,840 --> 00:23:18,159 come up with 617 00:23:15,200 --> 00:23:21,679 the idea with that is i've got a dns 618 00:23:18,159 --> 00:23:23,200 control zone file and some cicd 619 00:23:21,679 --> 00:23:24,480 and documentation and some little 620 00:23:23,200 --> 00:23:26,480 helpers 621 00:23:24,480 --> 00:23:30,080 to basically be able to buy a domain and 622 00:23:26,480 --> 00:23:30,080 have it set up really quickly 623 00:23:30,240 --> 00:23:34,960 and the goal is to also include things 624 00:23:32,240 --> 00:23:38,880 like spf and dmarc and cia records as 625 00:23:34,960 --> 00:23:40,960 well so that the domain is you know 626 00:23:38,880 --> 00:23:42,480 uh on its way to being you know having 627 00:23:40,960 --> 00:23:45,200 some of these sort of security related 628 00:23:42,480 --> 00:23:47,440 dns entries defined in there from the 629 00:23:45,200 --> 00:23:50,640 start 630 00:23:47,440 --> 00:23:53,279 the next two uh links there are for 631 00:23:50,640 --> 00:23:56,000 the official documentation for 632 00:23:53,279 --> 00:23:57,679 dns control i really recommend that you 633 00:23:56,000 --> 00:24:00,000 take a look at their getting started 634 00:23:57,679 --> 00:24:02,000 guide i also recommend taking a look at 635 00:24:00,000 --> 00:24:04,159 their migration guidance 636 00:24:02,000 --> 00:24:06,400 they have a migration tool that will 637 00:24:04,159 --> 00:24:08,720 actually allow you to get a bind file 638 00:24:06,400 --> 00:24:12,159 and convert that into a dns 639 00:24:08,720 --> 00:24:15,360 control zone file it works really really 640 00:24:12,159 --> 00:24:17,440 well um and considering that a lot of 641 00:24:15,360 --> 00:24:19,520 some of the sort of third-party you know 642 00:24:17,440 --> 00:24:21,520 the different dns providers have an 643 00:24:19,520 --> 00:24:23,279 export to bind option 644 00:24:21,520 --> 00:24:25,440 it's probably one of your you know your 645 00:24:23,279 --> 00:24:27,919 best ideas for starting to pick up and 646 00:24:25,440 --> 00:24:29,360 use dns control 647 00:24:27,919 --> 00:24:30,880 finally i've got a referral link there 648 00:24:29,360 --> 00:24:33,200 to get kraken 649 00:24:30,880 --> 00:24:35,279 basically if you use that link 650 00:24:33,200 --> 00:24:37,679 both you and i will go into a draw for a 651 00:24:35,279 --> 00:24:40,400 100 gift card and there's four winners 652 00:24:37,679 --> 00:24:42,080 every month i believe so always a 653 00:24:40,400 --> 00:24:45,720 a great option to try and get some free 654 00:24:42,080 --> 00:24:45,720 amazon gift cards 655 00:24:46,400 --> 00:24:50,320 thank you all for listening to my 656 00:24:47,600 --> 00:24:54,240 session um i'm going to leave a 657 00:24:50,320 --> 00:24:56,960 very sort of old and lame recursive dns 658 00:24:54,240 --> 00:24:58,159 joke there for you all um 659 00:24:56,960 --> 00:24:59,760 i'd like to thank you all for listening 660 00:24:58,159 --> 00:25:02,400 to me once again if you want to reach 661 00:24:59,760 --> 00:25:03,919 out to me i'm on twitter at k jacobson 662 00:25:02,400 --> 00:25:05,679 and i've got my website at 663 00:25:03,919 --> 00:25:08,799 poshsecurity.com 664 00:25:05,679 --> 00:25:08,799 thank you all so much 665 00:25:10,000 --> 00:25:14,480 okay thanks karen um we have a couple of 666 00:25:12,559 --> 00:25:16,720 questions 667 00:25:14,480 --> 00:25:19,120 first question is 668 00:25:16,720 --> 00:25:20,960 have you tried managing dns records 669 00:25:19,120 --> 00:25:23,279 using other than infrastructure as code 670 00:25:20,960 --> 00:25:25,360 tools and if so is there anything you've 671 00:25:23,279 --> 00:25:27,840 found it's particularly standout 672 00:25:25,360 --> 00:25:30,559 functionality in dns control and 673 00:25:27,840 --> 00:25:33,039 anything you've found dns control to let 674 00:25:30,559 --> 00:25:35,440 compared to the rest 675 00:25:33,039 --> 00:25:37,760 i think the reason that i was drawing a 676 00:25:35,440 --> 00:25:40,080 dns control is i've i've tried using 677 00:25:37,760 --> 00:25:42,240 terraform i've tried using azure arm 678 00:25:40,080 --> 00:25:43,600 templates and powershell and things like 679 00:25:42,240 --> 00:25:44,559 that 680 00:25:43,600 --> 00:25:46,720 um 681 00:25:44,559 --> 00:25:48,799 dns control supports 682 00:25:46,720 --> 00:25:51,120 so many different services providers and 683 00:25:48,799 --> 00:25:53,679 so many different domain registrars 684 00:25:51,120 --> 00:25:55,440 that it just allows you sort of 685 00:25:53,679 --> 00:25:57,200 pick up really quickly and just sort of 686 00:25:55,440 --> 00:25:58,240 start plugging stuff in 687 00:25:57,200 --> 00:25:59,840 um 688 00:25:58,240 --> 00:26:01,919 you know you can 689 00:25:59,840 --> 00:26:03,760 you know they have a very long list of 690 00:26:01,919 --> 00:26:06,320 service providers that they support now 691 00:26:03,760 --> 00:26:08,080 and so you can use the same structure 692 00:26:06,320 --> 00:26:09,760 no matter where your domain's hosted so 693 00:26:08,080 --> 00:26:11,310 that's why i've lent a bit more towards 694 00:26:09,760 --> 00:26:12,640 dns control 695 00:26:11,310 --> 00:26:14,720 [Music] 696 00:26:12,640 --> 00:26:16,240 i think the biggest challenge right now 697 00:26:14,720 --> 00:26:17,679 is some more of the 698 00:26:16,240 --> 00:26:20,640 some of the cloud providers have very 699 00:26:17,679 --> 00:26:22,559 sort of specific entries and whilst some 700 00:26:20,640 --> 00:26:25,760 of that has been added to dns control 701 00:26:22,559 --> 00:26:27,760 for azure and aws and cloudflare there's 702 00:26:25,760 --> 00:26:30,000 still some that are missing that you 703 00:26:27,760 --> 00:26:31,840 know would be really handy to see but 704 00:26:30,000 --> 00:26:33,679 you know once again it's it's a lot of 705 00:26:31,840 --> 00:26:35,760 stuff is community contributed so you 706 00:26:33,679 --> 00:26:37,520 know it's it's up to the sort of you 707 00:26:35,760 --> 00:26:39,679 know people who have time to put this 708 00:26:37,520 --> 00:26:40,640 stuff in 709 00:26:39,679 --> 00:26:43,679 okay 710 00:26:40,640 --> 00:26:46,480 uh another question is how do you handle 711 00:26:43,679 --> 00:26:49,200 dynamically named names cloud resources 712 00:26:46,480 --> 00:26:51,039 eg load balancer dns names which might 713 00:26:49,200 --> 00:26:53,360 change at any point 714 00:26:51,039 --> 00:26:54,159 um yeah so there's a few tricks around 715 00:26:53,360 --> 00:26:55,520 that 716 00:26:54,159 --> 00:26:56,400 um 717 00:26:55,520 --> 00:26:59,279 for 718 00:26:56,400 --> 00:27:01,679 azure there's their azure alias records 719 00:26:59,279 --> 00:27:04,320 i think they're called um 720 00:27:01,679 --> 00:27:06,159 that's one way that you can 721 00:27:04,320 --> 00:27:08,799 dns controller can actually talk to 722 00:27:06,159 --> 00:27:12,240 azure and start to bring those things in 723 00:27:08,799 --> 00:27:15,120 um and i think there's a similar one for 724 00:27:12,240 --> 00:27:16,640 aws as well but i haven't played around 725 00:27:15,120 --> 00:27:18,880 with that one yet that's on my to-do 726 00:27:16,640 --> 00:27:18,880 list 727 00:27:18,960 --> 00:27:24,799 okay i think that's uh all the questions 728 00:27:21,760 --> 00:27:26,399 we've got okay thank you very much karen 729 00:27:24,799 --> 00:27:29,399 brilliant thank you but thank you 730 00:27:26,399 --> 00:27:29,399 everybody