DNS Incident Response: Field Guide
RCCE students will learn Domain Name System security including DNS architecture, DNSSEC, DNS over HTTPS/TLS, DNS tunneling detection, DNS sinkholing, and DNS-based threat detection. RCCE students will learn to configure DNS infrastructure securely, implement DNSSEC for zone integrity, detect and block DNS-based attacks including cache poisoning, DNS tunneling, domain generation algorithms, and DNS rebinding, configure DNS-based security controls for threat blocking, analyze DNS logs for indicators of compromise, deploy DNS monitoring for threat detection, and respond to incidents involving DNS infrastructure compromise or abuse. This incident response course prepares students to act decisively during security incidents with structured workflows and clear decision frameworks. Starting from foundational concepts, RCCE students will learn containment, evidence collection, eradication, and recovery procedures specific to this domain. Students practice incident scenarios that build the composure, coordination, and documentation skills essential for effective incident handling.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing DNS Incident Response: Field Guide
- Execute hands-on tasks for field guide
- Execute hands-on tasks for knowledge goals
- Execute hands-on tasks for skill goals — covering DNS infrastructure securely.
- Execute hands-on tasks for identify dns-based attack patterns — covering DNS infrastructure securely.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for key concepts — covering Root servers: 13 logical root name servers.
- Execute hands-on tasks for caching behavior — covering Recursive: resolver does all work.
- Execute hands-on tasks for record type
- Execute hands-on tasks for security note — covering TXT records are commonly abused for tunneling and exfiltration — monitor query lengths and entropy.
- Explain DNSSEC Implementation Overview fundamentals — covering Data origin authentication, Data integrity verification, RRSIG: digital signatures on records.
- Execute hands-on tasks for what dnssec provides — covering Data origin authentication, Data integrity verification.
- Execute hands-on tasks for dnssec record types — covering RRSIG: digital signatures on records, DNSKEY: public signing keys.
| Module 01 | Field Guide |
| Module 02 | Knowledge Goals |
| Module 03 | Skill Goals |
| Module 04 | Identify DNS-based attack patterns |
| Module 05 | DNS Architecture Fundamentals |
| Module 06 | Key Concepts |
| Module 07 | Caching Behavior |
| Module 08 | Record Type |
| Module 09 | Security Note |
| Module 10 | DNSSEC Implementation Overview |
| Module 11 | What DNSSEC Provides |
| Module 12 | DNSSEC Record Types |
| Module 13 | DNSSEC Key Management |
| Module 14 | DNS over HTTPS (DoH) and DNS over TLS (DoT) |
All hands-on labs run on Rocheston Rose X OS. Students practice dns incident response: field guide by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for field guide
- Lab 2: Execute hands-on tasks for knowledge goals
- Lab 3: Execute hands-on tasks for skill goals
- Lab 4: Execute hands-on tasks for identify dns-based attack patterns
- Lab 5: Design a scalable privilege management architecture with policy and enforcement
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for DNS Incident Response: Field Guide, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI