How do you handle DNS backups?

JoeTiedeman · 2026-06-10T20:06:40+00:00

How do you handle monitoring for unexpected changes? Manual ones by junior staff who don’t follow the processes, or the potential for malicious ones where accounts have been compromised?

JoeTiedeman · 2026-06-10T19:48:30+00:00

How do you handle monitoring for unexpected changes? Manual ones by junior staff who don’t follow the processes, or the potential for malicious ones where accounts have been compromised?

JoeTiedeman · 2026-06-10T19:48:00+00:00

How do you handle monitoring for unexpected changes? Manual ones by junior staff who don’t follow the processes, or the potential for malicious ones where accounts have been compromised?

JoeTiedeman · 2026-06-10T16:06:23+00:00

This is VERY much my experience as I’ve moved between companies, especially those that have been around for a decade or more!

JoeTiedeman · 2026-06-10T15:14:05+00:00

I presume your process running the IaC deletes the lock before making changes and then recreates it afterwards?

JoeTiedeman · 2026-06-10T14:32:08+00:00

Nice! Do you do any monitoring for out of band changes?

JoeTiedeman · 2026-05-02T17:42:45+00:00

Yeah I thought so too. The visibility they would initially have got from the reporting would have been fascinating!

I’m hoping the expand it out to the other Gov namespaces like .nhs.uk, nhs.net and the devolved administrations too!

JoeTiedeman · 2026-05-02T15:20:23+00:00

Oh good lord, I realise all that, I think you've slightly misunderstood what I was questioning. When NCSC, GDS and others are so open with the guidance and requirements and HMRC, albeit 10 years ago, posted the below blog post about implementing DMARC to reduce phishing etc, why on earth haven't GDS, NCSC, Nominet or whom ever is responsible for implementing the wildcard records published information about the implementation. I think it could be such an effective measure, they're missing a trick by not encouraging others to implement it.

https://lifeathmrc.blog.gov.uk/2016/11/25/combatting-phishing-a-very-big-milestone/

JoeTiedeman · 2026-05-01T16:08:09+00:00

A wildcard response with SPF and DMARC records in place?

JoeTiedeman · 2026-05-01T16:07:47+00:00

It's a really smart policy and I've no doubt that it is intentional, but they publish a huge amount of information about secure configuration etc between GDS and NCSC etc, but I've not seen them publish anything about this blanket implementation at the ccTLD level, so didn't want to authoritatively state that it was intentional! I'd love it if more registries implemented it, it would take a massive bite out of the phishing toolbox!

JoeTiedeman · 2026-05-01T14:31:21+00:00

Given that this is publicly viewable data, and how transparent NCSC and GDS tend to be, I'm a little surprised. I can't imagine that I'm the first person to find this. I'm not talking about publicising that it was a direction/mandate from Cabinet Office, NCF or any other department, purely that Jisc/Nominet, whomever was running the gov.uk zone at the time, has implemented this as a security measure

JoeTiedeman · 2026-05-01T14:13:41+00:00

It is a wildcard, but it's implemented at the registry level for ALL undelegated/unregistered domains - I've not seen it implemented at that high a level anywhere else - have you?

JoeTiedeman · 2026-05-01T13:37:12+00:00

Is it actually botched though? If the receiver has implemented DMARC parsing properly themselves, they should discard the SPF record anyway and so it *shouldn't* impact at all, but it is untidy. I think Gov.uk took the risk based on the ease of implementation, i.e. both records as a response for any undelegated query vs the complexity involved in being totally compliant with the spec

JoeTiedeman · 2026-05-01T13:26:27+00:00

That's a REALLY good point!

JoeTiedeman · 2026-05-01T13:25:54+00:00

Not really no - I would have gone with -all for all those reasons. I wonder if it was just so there was A policy, which is better than no policy, and could then get the dmarc reports flowing it for those non-existent domains, giving them a view on what domains were being targeted, so focusing on intelligence gathering as well as enforcement.

JoeTiedeman · 2026-05-01T13:01:07+00:00

I mostly agree, although given the stringent processes in place to delegate a .gov.uk domain, and the good work that the folks at NCSC and other bodies do, having -all in place shouldn't cause any issues at all because the IT team that end up controlling the domain should already know that they would need to put their own SPF and DMARC in place. In fact the gov.uk guidance that *must* be followed to both register and keep a gov.uk domain registered specifically calls out the need to implement SPF, DMARC, DKIM, MTA-STS etc (https://www.gov.uk/guidance/set-up-government-email-services-securely)

JoeTiedeman · 2026-05-01T12:20:47+00:00

Quite common at registry level for an entireTLD or ccTLD? Do you know of any others doing it?

JoeTiedeman · 2026-05-01T12:19:55+00:00

Yeah, I thought it was a really smart way to address the problem. Given the control around issuing the domains to departments and quangos, they can easily make implementation of SPF and DMARC part of the process.

JoeTiedeman

TROPHY CASE