Module 9 · Lesson 6

Closing: 20 Years of DNS, Distilled

Anouar's honest perspective on what actually matters after two decades building internet infrastructure. Not a wrap-up — a practitioner's view from the other side.

Closing: 20 Years of DNS, Distilled

I've been working with DNS professionally since 2006. That's not a credential I mention to impress you — it's context for what follows, because most of what I'm about to say I learned the wrong way.

DNS Is Infrastructure

This should be obvious, but it isn't. In most organizations, DNS is treated as a supporting detail — something you set up once and come back to when there's a problem. The configuration lives in a console someone has the password to. There's no monitoring. There's no runbook. When something breaks, someone who vaguely remembers the setup gets paged.

Compare this to how the same organization treats its database, its load balancers, its deployment pipeline. There's monitoring. There's a runbook. There are automated alerts and documented rollback procedures. Changes go through a review process.

DNS deserves the same treatment, because an DNS failure is indistinguishable from an application failure from the user's perspective. When your domain stops resolving, your product is down. When your MX records break, your business email stops working. When a registrar transfer goes wrong, your brand disappears from the internet until you fix it.

Treat DNS like infrastructure. That means: version control, monitoring, redundancy, change management, documented ownership.

The Fundamentals Haven't Changed

RFC 1034 and 1035 were published in 1987. Paul Mockapetris designed a system that has scaled from a few hundred hosts to billions of names. The core concepts — the distributed hierarchy, authoritative and recursive resolution, the record types, the TTL-based caching model — are the same ones you've been learning throughout this course.

This is genuinely unusual in technology. The protocols that underpin the internet are more stable than almost any other layer of the stack. HTTP has had major versions. TLS has deprecated old versions and introduced new ones. DNS has accumulated additions — DNSSEC, EDNS0, DoT, DoH — but the foundation is intact.

What this means practically: the investment you make in understanding DNS deeply doesn't depreciate the way knowledge of a specific framework does. The debugging skills you develop with dig, the understanding of how resolvers cache and propagate changes, the intuition about when a problem is a DNS problem versus an application problem — these stay relevant.

When I was learning this, I wanted shortcuts. I wanted someone to tell me the right default configuration and leave it at that. That's not how it works. The deep understanding is what lets you diagnose the failure at 2am that doesn't fit any known pattern, or make the right call during a migration when the plan meets reality and starts to deviate.

Security Is Not Optional

I've watched organizations lose their email deliverability for weeks because they launched without DMARC. I've seen domains get hijacked via registrar account compromise because nobody had enabled 2FA. I've seen phishing campaigns run for months against brands whose monitoring would have caught them in hours if it had been configured.

None of these are exotic attacks. They're not sophisticated. They succeed because the defensive measures were skipped — not because the attacker was clever, but because the defender hadn't done the basic work.

Email authentication (SPF, DKIM, DMARC), registrar security (2FA, transfer lock, registry lock for critical domains), and passive DNS monitoring are not projects with dedicated timelines. They're maintenance. They're part of what you do when you launch a product or bring a domain into service. They take hours to configure. The cost of not having them can be months of cleanup.

If there's one thing I'd change about how I taught DNS early in my career, it's that I treated security as an advanced topic. It's not. It's chapter one.

The Namespace Will Keep Expanding

There are over 1,200 new gTLDs from the first application round. A second round is coming. New brand TLDs. More ccTLDs becoming operationally accessible. The domain namespace will be significantly larger ten years from now than it is today.

This creates pressure on everyone who manages a brand or operates internet infrastructure. The instinct is to try to stay ahead of it by registering everything — every variant, every new TLD, every possible permutation. This doesn't work. The namespace grows faster than any budget can cover.

What works is a strategy with defined tiers, clear criteria for what you register and what you monitor, and a process for responding to threats rather than trying to prevent them all preemptively. UDRP exists precisely because proactive coverage of the long tail is not economically rational.

Your strategy needs to be sustainable. That means bounded. The audit exercise in lesson 5 of this module is designed to help you build that boundary and maintain it.

Own Your DNS

I don't mean this in the property sense — though yes, your domain registrations need to be unambiguously owned and properly secured. I mean it in the operational sense.

Understand it well enough that when something goes wrong, you can diagnose it yourself. When a migration is proposed, you can evaluate it rather than just approving it. When someone presents you with a "DNS configuration" that doesn't look right, you can tell them why.

This sounds like a baseline expectation. It isn't. Most organizations have DNS that's effectively a black box — managed by whichever vendor or engineer set it up, with no internal understanding of how it works or why it's configured the way it is. When those vendors or engineers are unavailable, the organization is helpless.

This course exists because I spent enough time in that situation — first as the engineer who understood it and couldn't explain it fast enough in a crisis, and then as the CTO watching teams try to debug DNS without the vocabulary to describe what they were looking at — to think a structured approach to the knowledge would matter.

Whether it has mattered is something you're better positioned to judge than I am. You've done the work. You have the vocabulary. You know the failure modes.

DNS is infrastructure. Treat it like it.

Anouar Adlani
Founder, PragmaGeeks
Former CTO, EuroDNS (2006–2016)
Builder, X-RAY domain threat platform, EBRAND