Further Reading: DNS, Email, and Web Security

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 10.

Suggested order

  1. Read the M3AAWG / DMARC.org deployment guidance to internalize the none → quarantine → reject ladder and why the listening phase matters (🏗️🛡️).
  2. Skim the OWASP Secure Headers Project and run your own site's headers through a public scanner (🏗️).
  3. Read CISA's guidance on protective DNS and DNS sinkholing to ground §9.2 in operational practice (🛡️🏗️).
  4. Keep the relevant RFCs nearby as references, not read-throughs (📜🏗️).

Standards & primary documents (Tier 1)

  • RFC 7208 — Sender Policy Framework (SPF). 🏗️📜 The authoritative SPF specification, including the all-important 10-DNS-lookup limit and the meaning of -all/~all/?all. Reference it when a record misbehaves.
  • RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures. 🏗️📜 How message signing and selector key publication work; read the overview to understand why DKIM survives forwarding.
  • RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC). 🏗️📋📜 The keystone spec: alignment, the policy ladder, and the aggregate/forensic report formats. The single most useful document for §9.4.
  • RFC 4033 / 4034 / 4035 — DNS Security Introduction and Requirements (DNSSEC). 🏗️📜 The DNSSEC trilogy; read 4033's introduction for the chain-of-trust model before the wire details.
  • RFC 6797 — HTTP Strict Transport Security (HSTS). 🏗️📜 The HSTS specification, including includeSubDomains and the preload concept this chapter owns.
  • NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide. 🏗️📋 NIST's operational guidance for deploying and validating DNSSEC and securing zone data — the standards-grounded version of §9.2.
  • NIST SP 800-177, Trustworthy Email. 🏗️📋📜 A practical, government-grade guide to SPF, DKIM, DMARC, and email security as a whole; an excellent companion to §9.3–9.4.
  • OWASP Secure Headers Project (owasp.org). 🏗️ The canonical, continuously updated reference for the §9.5 headers, with recommended values and the attacks each mitigates.
  • OWASP Cheat Sheet Series — Content Security Policy and Session Management. 🏗️ Deep, practical guidance for building a real CSP and setting secure cookie attributes without breaking your app.
  • CISA, Protective DNS guidance and advisories. 🛡️🏗️ Operational background for DNS sinkholing and resolver-layer blocking; the real-world version of the §9.2 sinkhole.
  • FBI IC3, Business Email Compromise public service announcements. 📋🛡️ Authoritative data on BEC's scale and methods, and the 72-hour recovery window that Case Study 2 turns on. The reason BEC outranks ransomware in dollar losses.

Books (Tier 1)

  • Liska, A., & Stowe, G., DNS Security: Defending the Domain Name System. 🏗️🛡️ A focused, practical treatment of DNS attacks and defenses — poisoning, tunneling, DGAs, and DNSSEC — at exactly this chapter's altitude. The best single book for §9.1–9.2.
  • Hoffman, A., Web Application Security. 🏗️ A modern, defender-oriented tour of browser security including headers, CSP, and the same-origin model; bridges §9.5 to Chapter 13.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Covers DNS attacks, email security, and secure protocols at exam depth; use its network-security chapters alongside this one.

Free online & talks (Tier 1 / Tier 2)

  • DMARC.org and the M3AAWG DMARC deployment documents. 🏗️🛡️ Vendor-neutral, step-by-step rollout guidance — the practical playbook behind Figure 9.3. (Tier 1 for the spec-aligned guidance.)
  • A reputable retrospective on the 2008 Kaminsky DNS cache-poisoning disclosure. 🛡️📜 The incident that forced source-port randomization and accelerated DNSSEC; understanding it explains why §9.2 exists. (Tier 2: read a well-sourced account; specifics vary by retelling.)
  • Public DMARC-report analyzers and "is my domain spoofable?" checkers. 🛡️🏗️ Tools that parse the XML reports from §9.4 into readable dashboards; use them on a domain you control to make the abstract concrete. (Tier 2: pick a reputable, well-reviewed service.)

Tools to explore (in your own lab or on domains you control only)

  • A public HTTP-header / TLS scanner. 🏗️🛡️ Point it at your own site and read which of the §9.5 headers are present, which are missing, and whether HSTS is set with preload. Builds the "audit from the outside" reflex from the §9.5 Defender's Lens.
  • dig / nslookup (read-only DNS queries). 🛡️🏗️ Query your own domain's TXT, MX, and _dmarc/_domainkey records to see SPF, DKIM, and DMARC as they are actually published. Authorized, read-only reconnaissance of your own zones.
  • A DMARC report parser (free tooling). 🛡️ Feed it real aggregate reports for a domain you own and practice the Phase 2 triage from Case Study 1 — separate the attacker rows from your broken senders.

⚖️ Authorization & Ethics reminder: Querying DNS records and reading HTTP headers is read-only and generally fine, but applying any of this to register look-alike domains, send mail as another domain, or probe systems you do not own crosses into attack. Study these techniques to defend; act only on systems and domains you own or are explicitly authorized to test (Chapter 39).