🏠 Back to Exam Syllabus πŸ“Ί RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 11.6 - Domain Name System

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series unpacks the naming system that turns readable names into addresses, continuing Domain 4. Name resolution is a favorite target β€” and a quiet one β€” where a poisoned lookup can silently redirect users to a convincing fake, so understanding how resolution works and where it breaks is what lets you detect and prevent those redirections.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

How do the three kinds of address relate?

They stack in layers of permanence. The domain name is a human-friendly label and the least fixed, the IP address is a logical address assigned on top of the hardware and can also change, and the hardware address burned into the interface is the most permanent, though even that can sometimes be spoofed. Resolution walks down this stack: the naming system turns a name into an IP address, and then the address resolution protocol turns that IP address into a hardware address.

What lives inside a DNS zone as records?

Every registered domain has an authoritative name server holding its zone file, a collection of resource records where each type answers a specific question. Address records map a name to a numeric address, a pointer record does the reverse, an alias record links one name to another, a mail record names the servers that accept email, a name-server record identifies which servers are authoritative, and the start-of-authority record holds the master details and refresh timing. Think of the zone file as the domain’s phone book.

How is name resolution secured?

With two complementary additions. The security extensions add mutual certificate authentication and encrypted sessions between servers, which blunts server-focused abuses like zone poisoning β€” but they protect only the servers, not the clients querying them. To protect the client side, resolution over an encrypted web session wraps the query and response inside a protected tunnel, and a privacy-focused variant even adds a proxy so the resolver never learns who asked, at the cost of trusting that proxy provider.

How do you defend against DNS poisoning?

With layered, practical measures. Run a split arrangement with one server facing the public and a separate one for internal use, restrict zone transfers, and require internal clients to resolve through your internal servers. Deploy intrusion detection to watch for abnormal lookups, harden every server and client, turn on the security extensions and encrypted resolution where supported, and consider a sinkhole that deliberately returns false answers to steer malware away from its command servers.

What threats target the domain name itself?

Two stand out. Domain hijacking is the theft of a domain’s registration, often by stealing registrar credentials, letting the new owner host a convincing fake and harvest personal information β€” defend it with strong multi-factor authentication at your registrar and auto-renewal so registration never lapses. The homograph attack registers look-alike names using characters from other alphabets that mimic familiar letters, so slow down and inspect any address that looks a shade off.

πŸ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 11.6 - Domain Name System.