Exercises: DNS, Email, and Web Security

These exercises move from protocol mechanics to deployment judgment to detection. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Use documentation domains (meridianbank.example, example.com) and documentation IP ranges in all of your answers. Where an exercise asks you to "write a record" or "design," there is rarely one perfect answer; the reasoning matters more than the exact syntax.

Part A — DNS mechanics and abuse ⭐

1.† In one sentence each, define DNS poisoning, DNS tunneling, DNS exfiltration, and a DNS sinkhole. Then write one sentence that correctly distinguishes tunneling from exfiltration.

2. Match each DNS record type to its job: A, AAAA, MX, TXT, CNAME, NS. For each of SPF, DKIM, and DMARC, name which record type holds it.

3. Classify each as a DNS integrity problem, a DNS confidentiality problem, or neither: (a) cache poisoning; (b) an ISP logging which sites you visit; (c) typosquatting; (d) a forged answer that redirects users to a phishing site. For each, name the technology (if any) that addresses it.

4.† Explain why classic DNS makes cache poisoning possible, referencing the transport and the lack of authentication. Then explain how caching turns one successful forgery into many victims.

5. A firewall blocks all outbound traffic except DNS (port 53) and HTTPS (443). A junior colleague says, "Good — DNS is just lookups, it can't leak data." Explain, in three sentences, why they are wrong.

Part B — DNSSEC, sinkholes, and DNS hardening ⭐⭐

6. A teammate claims DNSSEC will "encrypt our DNS and hide our lookups from our ISP." Correct them: what does DNSSEC actually provide, what does it not provide, and what technology gives the property they wanted?

7.† Harden it. You are auditing three published records (use dnsguard.py logic from the checkpoint, or reason by hand). For each, state the posture and the fix: - (a) v=spf1 ip4:203.0.113.10 ~all - (b) v=DMARC1; p=none; rua=mailto:dmarc@meridianbank.example - (c) v=spf1 include:_spf.cloud-mail.example ?all

8. Explain how a single DNS sinkhole entry can be both a preventive and a detective control. Describe what its logs reveal that an endpoint antivirus might miss.

9. DNSSEC "fails closed" — a misconfigured or expired signature breaks resolution (SERVFAIL) rather than silently downgrading. Argue why this fail-closed behavior is the correct design for a security control, and name one operational risk it introduces that you must plan for.

10.† Design it. Sketch Meridian's DNS hardening plan in five bullet points, covering: signing external zones, validating at internal resolvers, sinkholing, query logging, and the one thing DNSSEC does not solve (so a second control is still needed).

Part C — Email threats: phishing, BEC, spoofing ⭐⭐

11. Distinguish phishing, spear-phishing, and business email compromise. For each, name one characteristic that makes it harder to detect than the one before it.

12.† Analyze this. You receive the following (illustrative) email headers. Identify at least three indicators that this is a phishing or BEC attempt, and state which single indicator would survive even if the attacker had used a perfectly look-alike domain.

From: "Dana Okafor, CISO" <dana.okafor@meridi1anbank.example>
Reply-To: cfo-urgent@gmail.example
Subject: URGENT wire — confidential, before 4pm
Date: Tue, 14 May 2024 13:58:02 +0000
X-Sender-IP: 192.0.2.55
SPF: fail (domain meridi1anbank.example does not authorize 192.0.2.55)

(a) List the indicators. (b) Which field shows the display-name vs. address mismatch trick? (c) Why would SPF/DKIM/DMARC on meridianbank.example (the real domain) not have blocked this specific message, and what control would?

13. Why does business email compromise frequently evade antivirus, sandboxing, and malicious-URL filters? Name the one category of control (not a product) that is the primary defense against the compromised-real-mailbox variant.

14.† Respond to this incident. A user reports a suspicious email; on inspection it is a credential-harvesting phish that 40 employees received, and 2 have already clicked. Write the first six containment/response steps a SOC analyst should take, in order. (Tie to the report-phish workflow and §9.6 pivoting.)

15. A vendor sends Meridian a wire-instruction change by email from their genuine, verified address. Everything authenticates. Describe the process control that should still stop a fraudulent change, and explain why no email-authentication technology can substitute for it.

Part D — SPF, DKIM, DMARC (write the record) ⭐⭐–⭐⭐⭐

16. Write the record. Meridian sends mail from two on-prem servers (203.0.113.10, 203.0.113.11) and through a cloud provider whose SPF is _spf.cloud-mail.example. Write Meridian's SPF record so that all other sources hard-fail. Explain each mechanism.

17.† Write the record. Write a DMARC record for meridianbank.example that (a) rejects failing mail, (b) sends aggregate reports to dmarc-reports@meridianbank.example, (c) applies to 100% of mail, and (d) requires strict alignment. Then write the monitoring-phase version you would publish first, and explain the difference.

18. Find the vulnerability. Here is a real-world-style DMARC record. Identify why it provides no protection despite looking complete, and rewrite it correctly: v=DMARC1; sp=reject; rua=mailto:reports@example.com (Hint: which tag sets the policy for the organizational domain itself?)

19.† Explain alignment in DMARC. Construct a concrete example in which SPF passes but DMARC fails, and explain why that outcome is exactly what you want.

20. SPF breaks when mail is forwarded, but DKIM survives forwarding. Explain why, in terms of what each one authenticates and where the proof travels. What does this imply about deploying only one of the two?

21. ⭐⭐⭐ Design it. Meridian uses six different systems to send mail (core mail, marketing platform, helpdesk ticketing, an HR system, a fraud-alert SMS-to-email gateway, and a branch scanner that emails PDFs). Design the rollout plan that gets Meridian to p=reject without breaking any of the six. At which step do you discover the branch scanner is misconfigured, and how?

Part E — Web hardening: headers, HSTS, cookies ⭐⭐

22.† Harden it. A security scan of Meridian's online-banking portal reports these response headers:

HTTP/2 200
content-type: text/html
set-cookie: session=abc123; Path=/
server: nginx

(a) List every security header that is missing from the §9.5 baseline. (b) List every secure-cookie attribute that is missing and the specific attack each one would mitigate. (c) Write the corrected response-header set.

23. Explain precisely what attack HSTS prevents. Then explain why max-age alone leaves a gap on a user's first visit, and how the preload directive closes it.

24. A developer sets Content-Security-Policy: default-src *; script-src 'self' 'unsafe-inline'. Explain why this CSP is nearly worthless, and rewrite it to a sane baseline for an app that loads only its own scripts and styles.

25.† For each cookie attribute — Secure, HttpOnly, SameSite=Strict — name the specific attack it defends against and explain the mechanism in one sentence. Which one defends a session cookie against theft via a cross-site scripting flaw?

26. HSTS, secure cookies, and DNSSEC all build on a layer from an earlier chapter. For each, name the foundation it depends on (e.g., HSTS depends on TLS from Chapter 5). Why is each one a policy on top of a mechanism rather than a mechanism itself?

Part F — Detection in telemetry ⭐⭐

27.† Analyze this log. Given these (illustrative) resolver query logs, identify which host shows DGA behavior and which shows tunneling, and state the single field that distinguishes them.

time      src        query                                   rcode
10:00:01  10.0.0.7   kq3v9xzplmw.example                     NXDOMAIN
10:00:01  10.0.0.7   p0o9i8u7y6t5.example                    NXDOMAIN
10:00:02  10.0.0.7   mnbvcxzlkjh.example                     NXDOMAIN
10:00:05  10.0.0.9   f8a3k2j9d7m4q1p0.exfil.example          NOERROR
10:00:06  10.0.0.9   z1x2c3v4b5n6m7q8.exfil.example          NOERROR
10:00:07  10.0.0.9   q9w8e7r6t5y4u3i2.exfil.example          NOERROR

28. Write the rule. In plain SQL-like pseudocode (or Sigma-style prose), write a detection that flags possible DNS tunneling. Name the three quantitative signals you would threshold on and a sensible starting value for each.

29.† Write a detection concept for BEC that does not rely on any malware or link. List the weak signals you would correlate and explain why correlation, not any single rule, is required.

30. A DMARC aggregate report shows 54 messages from an unknown IP failing both SPF and DKIM, and 18 messages from your own helpdesk app failing SPF but passing DKIM. Explain why a defender must act on both rows, and what different action each requires.

Part G — CTF-style challenge ⭐⭐⭐

31.† The look-alike sweep. You are given a list of sender domains seen in inbound mail this week:

meridianbank.example
meridian-bank.example
meridi1anbank.example
meridianbank.example.co
mer1d1anbank.example
title-co.example

Meridian's real domain is meridianbank.example. (a) Identify every domain that is a likely look-alike ("cousin") of the real one, and explain the technique each uses (digit substitution, hyphen insertion, TLD swap, etc.). (b) Propose a detection that would surface such domains automatically (hint: edit distance / homoglyphs). (c) For the two domains that are not look-alikes, explain how you would still decide whether they are safe.

Part H — Interleaved & forward-looking ⭐⭐

32. (Interleaved with Ch. 7) A DNS sinkhole and a firewall default-deny rule both block known-bad destinations. Compare them: at what layer and at what point in a connection attempt does each act, and why is having both an example of defense in depth?

33. (Interleaved with Ch. 6) DNS runs over UDP port 53 by default. Using the network-layer vocabulary from Chapter 6, explain why a connectionless transport with no handshake makes spoofed responses easier to inject than a connection-oriented protocol would.

34. (Interleaved with Ch. 5) HSTS forces the use of TLS, the protocol from Chapter 5. Explain how an SSL-stripping attack defeats TLS availability without breaking TLS cryptography, and how HSTS restores the guarantee.

35. ⭐⭐⭐ Forward look. This chapter sets up Chapter 13 (web application security) and Chapter 30 (security awareness). Predict, in a short paragraph each: (a) which attacks the §9.5 headers defend against that Chapter 13 will dissect in depth, and (b) how the human-reporting culture from §9.3 becomes a measurable program in Chapter 30.

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor. Code for the computational problems is in code/exercise-solutions.py.