creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-zero-trust-dns-with-nextdns/references/workflows.md
T

75 lines
2.4 KiB
Markdown
Raw Blame History

# Workflows: Zero Trust DNS with NextDNS
## Workflow 1: Initial NextDNS Deployment
```
Step 1: Create NextDNS Configuration Profile
- Sign up at nextdns.io
- Create configuration profile with unique ID
- Configure security settings (all threat protection enabled)
- Configure privacy settings (blocklists, native tracking)
- Set log retention policy
Step 2: Deploy to Network Infrastructure
- Configure router-level DNS (DoH/DoT)
- Block plaintext DNS (port 53) at firewall for bypass prevention
- Configure split DNS for internal domains
- Test resolution of allowed and blocked domains
Step 3: Deploy to Endpoints
- Install NextDNS CLI on managed endpoints
- Configure mobile devices via app or Private DNS
- Deploy MDM profile for iOS devices
- Verify per-device identification in NextDNS dashboard
Step 4: Monitor and Tune
- Review blocked domains for false positives
- Add necessary allowlist entries
- Monitor query patterns for anomalies
- Adjust blocklists based on organizational needs
```
## Workflow 2: DNS Security Policy Enforcement
```
Step 1: Define DNS Security Policy
- Mandatory security protections (threat intel, DGA, NRD)
- Privacy protections (tracker blocking, telemetry)
- Compliance-specific blocking categories
- Exception handling process
Step 2: Block Plaintext DNS Bypass
- Firewall rule: Block outbound port 53 UDP/TCP
- Exception: Only NextDNS CLI or approved resolvers
- Block known DoH endpoints not managed by organization
- Disable browser-level DoH in favor of system DNS
Step 3: Implement Monitoring
- Set up API integration for log export
- Forward DNS logs to SIEM
- Create alerts for suspicious DNS patterns
- Monitor for DNS tunneling indicators
```
## Workflow 3: Incident Response with DNS Logs
```
Step 1: Detect Suspicious Activity
- Alert on high-frequency queries to single domain
- Alert on queries to known C2 domains (auto-blocked)
- Alert on DGA-like domain patterns
- Alert on DNS tunneling indicators (high entropy, long subdomains)
Step 2: Investigate
- Query NextDNS API for device-level DNS logs
- Correlate blocked domains with threat intelligence
- Identify affected devices and users
- Determine scope of potential compromise
Step 3: Respond
- Add malicious domains to denylist for immediate blocking
- Isolate affected endpoints
- Update firewall rules as needed
- Document findings for incident report
```
Reference in New Issue View Git Blame Copy Permalink