DNS is an often-overlooked and under-tooled area of security data collection, analysis and response. We will first review existing tools and deployment choices for collecting DNS data and release the 1.0 version of my own network DNS capture tool, gopassivedns. We will then explore several example analytical approaches to large scale DNS data, including approaches to finding DNS tunneling and discovering attacker infrastructure. Finally, we take a look at how DNS can play a part in remediation and release a second tool, a RESTful interface to RPZ, goRPZ. Attendees will walk away able to implement or improve DNS collection and analysis in their environments.
Philip leads security at Coinbase, where he is continually amazed at the amount of attacker effort and creativity inspired by half a billion dollars of cryptocurrency. Philip also enjoys spending time with his family and making delicious smoked meats.