Summary
Inside DNS Threat Intelligence: Privacy, Security & Innovation
In this episode of the Defenders Log, host David Redekop speaks with Tim Adams, the founder of the protective DNS resolver Scout DNS. Tim shares his origin story, explaining how he transitioned from a wireless network integrator to building his own DNS solution. He saw a need for an affordable, effective content filter for nonprofits and schools after OpenDNS was acquired by Cisco. What started as “Church DNS” in 2017 evolved into Scout DNS, a project Tim notes was far more complex than he initially imagined. He emphasizes that Scout DNS is bootstrapped and “private equity unencumbered,” a key selling point for Managed Service Providers (MSPs) who value stability.
The discussion covers several key DNS topics, including the challenge of balancing strong threat intelligence against false positives and the need to move beyond traditional threat feeds. Tim advocates for a zero-trust model that blocks unclassified or newly seen domains to shrink the attack surface. He also explains why Scout DNS adopted DNS over HTTPS (DoH) for its roaming clients, as it reliably uses port 443.
Looking ahead, Tim predicts a fractured internet with differing regional standards for privacy, weighing government access against corporate tracking. He concludes by highlighting the three reasons MSPs choose Scout DNS: a strong product built on word-of-mouth, a flexible month-to-month billing model, and high-touch customer service.
Full episode of The Defender’s Log here:
TL;DR
- Tim Adams founded Scout DNS, a bootstrapped (non-VC-funded) protective DNS service.
- He created it to provide an affordable alternative for users like nonprofits and schools after OpenDNS was acquired by Cisco.
- Tim advocates for DNS security to move beyond “known threat” lists and adopt a zero-trust approach by blocking unclassified or unknown domains.
- He discusses technical challenges (like DoH vs. DoT) and the philosophical debate between privacy and security.
- Tim predicts a “fractured” internet in the future, with different regions enforcing their own distinct privacy and data access rules.
- He highlights that Scout DNS appeals to Managed Service Providers (MSPs) because of its strong product, flexible no-contract billing, and direct customer service.
Links
View it on YouTube: https://www.youtube.com/watch?v=R97vq2yRFNU
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/32Nqh1PDenWzVOnCWhDueN
ADAMnetworks
https://adamnet.works
The Defender’s Log - Episode 009 Transcript
Tim Adams: You don’t really know DNS until you’re in DNS.
David Redekop: If there’s one thing you could force upon the world as it relates to DNS, would there be anything that comes to mind?
Tim Adams: Everything that goes in that ten millisecond response has to be done in nanoseconds.
David Redekop: What’s the terrible dystopia we are sleepwalking into that we need to pay close attention to as internet defenders?
Tim Adams: Every year we have thousands of more arrests of CSAM abuse cases from the internet.
David Redekop: If we want privacy for ourselves, we’re going to have privacy for the criminal.
Tim Adams: We try to make sure that in our case, every data center can operate autonomously from the core.
Narrator: Deep in the digital shadows, where threats hide behind any random byte, a fearless crew of cybersecurity warriors guards the line between chaos and order. Their epic battles rarely spoken of until today. Welcome to the Defenders Log, where we crack open the secrets of top security chiefs, CISOs, and architects who faced the abyss and won. Here’s your host, David Redekop.
David Redekop: Welcome back to another episode of the Defenders Log. And I’m always excited for the days that I get to record one of these because I get to connect with and learn about people in the defender space. And today I have someone with us on this show that has real-life experience in the area of DNS threat intelligence, standing up a public resolver, making it available to managed service providers. And I’m glad to have you. Thank you for coming on, Tim Adams. No relation to Adam Networks, but I love it that we have “Adam” and our comment in our name. Welcome.
Tim Adams: Appreciate you having me. And yeah, who knows? There might be something in there. We have to go check and look that up, but no, appreciate you having me, and it’s a privilege to be here. I’ve seen, you know, familiar with the show and seen a couple of the episodes and so, yeah, it’s really cool to be here.
David Redekop: Well, I always like to recount how we met and how we even connected. And I actually just found you online in search of, “I wonder who else is doing this Anycast protective DNS thing.” And when I saw you and I saw this is, you know, put together by an actual engineer who did a lot of the work, and you had some online presence on LinkedIn. We connected and then what’s funny is one day I’m coming back from Montreal and I stopped by in Kingston to meet up with an old friend, Andy. And Andy knows about you. He’s already talked to you for a number of years off and on. So, anyway, it’s really neat when you connect with someone and then someone else knows the same person, right? And so, the degrees of separation are actually a lot less than we often think. So, I really get to glad to get to know you better.
Tim Adams: Awesome. Same. You know, I’ve seen you. I know you’ve been involved in a lot of the different initiatives around DNS the last couple of years and especially around the zero trust concept or you’re, you know, as you call it, Do Not Talk to Strangers, and your collaboration with Tommy and some other things. And so, yeah. And that’s been, it’s cool to kind of watch some of this from outside and then have conversation with you about it in detail. It’s, it’s pretty neat.
David Redekop: Tim, I’m wondering always about how someone got to their initial aha moment when it became clear that you were destined to do something cool for the world in the area of DNS. What would you point to your first aha moment that you had?
Tim Adams: You know, so, for for me, this is going back, you know, you know, 2010. So somewhere between, you know, 2010, 2015, I’d been running a wireless network integrator. We kind of a network engineering, been specializing in high-density wireless. And nowadays, it’s a little bit easier. The software does a lot of the magic, but, you know, ten years ago, it didn’t. And it was a lot more difficult to cram 2,000 people into a small area and provide, you know, really quality wireless. And we were going through a period of time where where it was becoming more popular and we were deploying, you know, wireless, high-density wireless into areas that had not had it before. And so, in many cases, they didn’t have sort of this, you know, enterprise firewall doing filtering. And so, they needed, you know, all of a sudden, go from having ten people on the internet to occasionally having four or 500 or 800 people on the internet or 1,000 people on the internet.
And it was, how do we provide some level of, you know, content filtering and protection for for this without buying a $20,000 box? This is what what kind of the expense was for that type of a box, you know, you know, ten 15 years ago. And so, we would often recommend for folks to use OpenDNS. It had been a great product. It’s easy to use. You, you know, they were sort of, you know, pioneering a lot of that, you know, cloud-based, you know, filtering resolver that you could configure and sort of manage the policy. And so, we would recommend folks to that all the time. And of course, somewhere in 2015, 2016, Cisco bought OpenDNS, and, you know, Cisco started to do what Cisco does, and things started to change a little bit immediately. And so, for smaller use cases, it immediately became more expensive. And we were dealing with a lot of nonprofits. Sometimes, you know, churches and, you know, nonprofit centers and church schools that that had different, you know, use cases of of the way DNS is used is different. So, licensing didn’t always match. Didn’t make sense for them.
I’d gone to my team and and said, “Hey, you know, why don’t we just purchase something, we, we’ll white label it and we’ll resell it?” And I thought that was a great idea. You know, we’ll just resell this this resolver and and, you know, gets, you know, use as an extra extra, you know, revenue. And when I went through the exercise of sort of pricing that out, it was much more expensive than I thought it was going to be to license some of these, you know, instead of trying to build it from open source. I thought, you know, “Well, we could just build it.” And then when we started to kind of craft what it would look like to build, it’s like we were going to add this and add this in a UI, and maybe we’ll do Anycast and have policies and multi-tenancy. And, you know, it cost about four X what I thought.
You know, building it, you know, the concept of a DNS sink is relatively simple, and there are simple tools to do that like in your home network today. And there were many years ago. But when you have multi-policy and different, you know, different rules in your policy engine, when you make it multi-tenant, and when you add, you know, deeper reporting and visibility and more advanced strategies, it becomes complicated very quickly. And so, yeah, so I was a little naive up front, you know, kind of getting started into this, to be honest with you. Both in just everything just cost a lot more and more time, more energy. Adding Tim team members from an engineering standpoint was was more complicated.
But yeah, so, you know, here we are, you know, we we launched it as as in 2017. Kind of launched the product. We had 100 customers in the first year. We were originally called Church DNS because we had, you know, for whatever reason that time frame, a lot of these churches, you know, large churches were adding wireless to their sanctuaries. And then we’re also doing a lot of church schools and then, you know, other schools and, you know, different things like that. And so, yeah, so long story short, that’s kind of how we got involved. It was just sort of a side project. I sold my wireless integrator about a, you know, about a year later. And it wasn’t large enough for me to sort of like go full-time. So, I went back. I’d taken my first enterprise job in a couple of years. First job I’ve had probably in almost 20 years. And so, that was just it was kind of nice just to do some enterprise sales for a while because it was much easier than the whole entrepreneurship stack of, you know, collection of finance and operations and engineering. Just kind of focus on one thing.
And as soon as, you know, we had an opportunity to go full-time, and rebranded the product in 2019 as more diverse type of customer came to us. And, yeah, so that’s how Scout DNS was kind of relaunched and reborn in 2019. But that’s kind of how, I guess I sort of stumbled into it, right? And yeah, the goal goal really at the time was to bring there were a lot of cool, you know, cloud-based network stacks, cloud, you know, cloud-based network management stacks. And and I felt like, “Hey, why don’t we sort of make it, you know, object-based control, a nicer UI, easier to configure, easier to manage? Bring that to, you know, DNS control and and manageability.” And so, that was the concept there. So, yeah.
David Redekop: I really enjoyed getting to know your product and you for last little while. And you certainly have some very unique features and a very easy to understand environment. So, I definitely recommend it from my initial perspective running it as part of my DNS Harmony fleet of resolvers. So, it’s, it’s pretty cool, especially when I put it to the test. And I would also like to add that you are private equity unencumbered, right? So, you can run your business as you see fit. And MSPs that sign up for your services don’t have to worry about, you know, things getting flipped tomorrow.
Tim Adams: That’s correct. Yeah. No, that’s, you know, we we’ve been mostly bootstrapped. It’s not to say that we, you know, we don’t have a couple of angel or we’ve done a couple of incubator rounds, but we’ve not done any like major, you know, institutional round funding. And, you know, for the most part, we’re we’re sort of looking to avoid that. It’s not to say that if we never had the right situation, but we really don’t want a scenario where if you look at sort of, you know, modern seed-type investing or or beyond seed, the series A, any type of series investment, you know, you wind up in perpetual fundraising, series A, B, C, D, and and the economics have changed over the la, you know, since co over the last few years, the economics have changed a lot. So, you know, for us, you know, we we’ve sort of I don’t know if I’d say I’ve enjoyed the bootstrap route because it’s certainly not easy, but, you know, we we reached profitability, you know, sort of late last year. And so, you it’s definitely rewarding to to be in complete control of the product and the destiny and not have to answer to folks who are just worried about an exit. So, yeah.
David Redekop: Yeah. Bootstrapping most definitely takes a certain kind of person, right? It requires persistence. It requires patience. And I would argue that a lot of the MSPs around the world that should get to know you would put a high level of appreciation on that characteristic where they realize they’re dealing with a business where at the first sound of difficulty there isn’t just an exit or an escape, but rather a persistence to work through it. And that ultimately is how you build resilience. And any business that you know is going to do business with you, even from a protective resolver type service, because there’s a lot of dependencies on there, right? Like, there’s a lot of trust that someone puts into your services, especially if it’s the only one. Then it needs to have a high uptime. And so, your historic uptime also adds a value. So, all of these things go through the decision-making matrix of a would-be buyer of your services. You know, what kind of a person is Tim? How long has he been doing this? You know, what’s the uptime of the service like? What’s the development cycle like of the service offering? Especially in a space that is not only crowded, but DNS is like the underdog and sometimes gets beaten up for stuff that wasn’t really DNS’s fault.
We had a good discussion about the AWS outage where everybody says it’s always DNS. Well, yes and no. The argument there was that it was actually the data in the DNS because the service itself wasn’t broken. It wasn’t patched to be fixed, right? It was actually data that was incorrect that came through an automation source. And so, by not getting through the nuances of what’s going on, then DNS gets the blame, and then that ends up ultimately affecting the industry. So,
Tim Adams: even even beyond that, if you look at the AWS instance, most of the services that were impacted were impacted because of their architecture, not just because of that one failure, but their dependencies on services that aren’t redundant and aren’t resilient. And, you know, DNS is extremely resilient. And we’ve had 100% uptime on our Anycast, knocking on everything, you know, since we launched it almost seven years ago. And that’s just the nature of of that is the nature of, you know, BGP. And if you build things correctly, you know, it doesn’t mean that you can’t have, you know, regional or peering issues and different things like that that can happen. But if you’ve designed it well, those are very few and far between and they’re easier to recover from.
And so, yeah, you know, I there’s there’s a quick commentary when, you know, something like that issue happens with I think it was the US East and all the dependencies that were kind of built around that. But we try to make sure that in our case, every data center can operate autonomously from the core. You know, we have replication everywhere. If everything fails, you things just fall over. So, there’s really no point where something is it doesn’t mean that like the UI can’t break or could potentially have an issue with logging, even though we have redundant logging clusters and failovers and those kinds of things. It doesn’t mean that that can’t happen.
But, you know, there’s a lot of work and and from a bootstrapping standpoint, the exciting thing about that is that when you don’t have, you know, sort of a lot of times when you have millions of dollars, you just throw that at marketing or you throw that at engineering and you just, you know, you scale up, you know, all these microservices and serverless technologies and so, you’re not worried about cost upfront. So, you’re really not less efficient. So, for us, we’ve had to be we’ve had to build this way and do so in a very efficient manner, very capital, you know. Customers want 100% uptime, but they also don’t want to pay, you know, a fortune either, right? So, you know, bootstrap has had some advantages there as well in being resilient and and being fast and available, but doing it in an efficient way. So,
David Redekop: yeah, that makes a lot of sense. And I can concur with same kind of an experience where, even though we’ve also taken some seed investment, our focus has been from day one to be as efficient as possible. A good example we often use is, why use the cloud when on-prem will do? There are some things that absolutely must be in the cloud. And there are other things for which it does not make sense when you can stand up, you know, your white box with Proxmox on it and throw 50 VMs on it for a one-time capital expense as opposed to, you know, a monthly virtual machine cost. So,
Tim Adams: well, even when you say cloud, I mean, the cloud, you know, it’s such a broad term. Does that mean are you talking about, you know, serverless, you know, options where you really have no visibility and control? Again, I’m not trying to use, you know, names specifically, but there are there are certain platforms that make money on the the fact that code is often inefficient and the more inefficient the process, the more money the infrastructure provider makes because they’re essentially charging you for time and resource. You can also use cloud and just rent machines. For us, it makes a lot more sense because our traffic is relatively predictable. I spin up users in a region. I know what that’s going to I know how that’s going to affect that region. So, yeah, and those are a lot more predictable and manageable from a cost standpoint.
So, yeah, I think and it absolutely, we’ve seen cases where people have written about, you know, leaving, you know, large cloud providers and going back inside and running racks and, you know, bringing in peers and doing it themselves. And, yeah, I mean, a lot of times that can make a lot more sense, but there are also a lot more secondary infrastructure providers that have great products and great solutions that folks should consider when they are looking out there. There and especially as we know that the big tier ones are not 100% flawless, that obviously things happen as we’ve seen over the years. This hasn’t been the first time we’ve seen global impact from, you know, tier one provider issues. So,
David Redekop: so, let’s jump to the superpower of a protective resolver, which is, you know, your DNS threat intelligence. What has been your funnest learning lesson in building an integrated DNS threat intelligence platform?
Tim Adams: That is a a good question. I think it’s really the challenge of how do we maintain a good quality of product while also reducing false positives. You know, you can’t just go out and grab and it’s it’s funny, you know, people talk about these, you know, DNS filtering or DNS protection tests where they go out and they pull these lists and they throw everything at at the list. And a lot of times that’s a really bad way to do it because and I’ve seen there are there are vendors out there who who pull these free lists in just to pass tests when 90% of that list is a false positive now, right? Because, you know, a lot of times these things get cleaned very very quickly, especially when they impact commercial commercial use.
So, yeah, so really being able to, you know, kind of scale out that without having too many false um false reports because you want to balance protection without interruption. Also, you know, you want to there are certain types of challenges around, you know, CDNs and all the domains around that are involved in, you know, these content servers. And so, and threats that can pop up around those. But, you know, being able to manage that without impacting downstream services and so having strategies. So, yeah, so there there’s a lot that goes involved in. So, you know, we we do some of our own threat intelligence, but we also source a large chunk from different providers and some quality feeds that we feel are historically very No one, you know, we we just wouldn’t have enough volume globally if it was just us, right, to capture everything and see everything. So, you know, we we partner with some folks and then go out and source source some other feeds. Then we also go back and curate, right, to try to improve the quality of those. So, that that can certainly can be a challenge and one that’s just kind of ongoing.
David Redekop: Yeah, it’s not a small number science problem. So, any statisticians out there who who look at, you know, doing statistics, I mean, the simplest way that I always introduce it to new folks interested in stats any which way is just think about a billion by a billion matrix. And that is what you’re working with, right? Especially as you’re dealing with the interaction and intersection with various domains where one meets another and they end up being part of the same threat actor’s stack or part of the same registrar and resolve to the same place.
Tim Adams: Yeah, there’s certainly a lot of DNS metadata we can look at that, you know, registries, neighborhoods, you know, IP ranges or IP networks, I should say, ASNs, for instance, bulletproof hosts tend to be places where a lot of things are. You know, so we’re we’re trying to do a better job of of understanding, you know, trying to create new policy protection options for end users on things like, you know, can we block all bulletproof host providers? Can we, you know, block have different character types that we can block within? So, yeah, there there’s some some cool things you can do from a policy standpoint, but just even identifying where the threats are likely to come from based on other attributes is a fun exercise to to practice, too. So,
David Redekop: right. Reminds me of a a recent client that we onboarded and immediately after getting onboarded, we watched this punycode domain come across our non-punycode interpreted list. And cuz they stand out like a sore thumb, right? And so, so I actually had to paste it into a browser to see what it’s supposed to be. So, it turned out to be a trader that was using tradingview.com except that they weren’t using the real tradingview.com.
Tim Adams: Right.
David Redekop: And so, just that’s the first time I had come across a punycode abused in the wild as we were onboarding a client. So, that’s interesting.
Tim Adams: Yeah.
David Redekop: Um, you were also early on, if I’m not mistaken, Tim, with doing encryption from your customers to your Anycast nodes, doing offering DoT, DoH, DoQ.
Tim Adams: How did that go for you? You know, so, you know, we we kind of, um, really circled around DoH, which is really that’s a whole another topic in and of itself, right? I think in a lot of ways, most of us in security would make an argument that DoH probably should have never really been created. And in in a lot of ways, was not really necessary because the folks, if you if you really look at, you know, the folks who brought us DoH, uh, they weren’t really thinking about really security or privacy. I know a lot of it was done in in the guise of privacy. And I know, you know, Dr. Paul Vixie has written extensively about a lot of this.
But, yeah, so, I I think that, you know, for us, we we really kind of circled around DoH specifically for roaming clients. And that’s really kind of where originally came for us is we have from a commercial the commercial use case, DNS is very different from that of of a home user. And, and so a lot of different things the commercial end user takes into account the administrator. And so, for us, when we looked at deploying roaming clients a few years ago, we wanted to do it with encryption as a native. We wanted to to just be full-time encrypted all the time from from the Windows or Mac OS up to our Anycast or our network.
And in doing that, we circled around DoH because the problem with DoT, although it’s great from a standstill network provider’s point of view, for a roaming client that is roaming around the world into different people’s networks where you do not have control over the firewalls and the ports that are available, right, port 443 is more likely to slip through and be unencumbered. And so, we don’t have to design all these failback mechanisms to go from, you know, DoT to just standard port 53 DNS. And then, guess what, if port 53 DNS is also restricted, which it can be in certain networks as well, well then then you’re just sort of, you know, no no no protection at all. And so, that’s kind of what we did. So, for our specific use case, DoH was great. And it’s it’s worked well there. But, yeah, so that that was early on. But and you know it it you know there’s sort of this topic that, you know, DoH adds all this overhead and particularly compared to, obviously, there’s some overhead compared to just standard port 53 DNS. But between DoH and DoT, I don’t not really notice that much of a difference from an overhead standpoint. But from a practical use case, it it’s it’s worked pretty well for us. So,
David Redekop: Right. Right. I also noticed that at the IETF, as in the IETF circles, that there’s a very strong movement towards DoQ just to move it over to UDP. So, looks like we’ve come full circle from going UDP back to UDP, except that the average packet size is like, I don’t know, X number at times larger. But we also have the bandwidth and the capacity today to sustain that. And so, I think where we’ll end up is probably there or is there something else that you see happening?
Tim Adams: There’s always something else on the edges, right? I think that’s probably where the industry will push in the next, you know, couple of years. How quickly it gets adopted, I don’t know. We’ve we may there there are some use cases still where bandwidth can be an issue. In general, I agree with you that that’s become less of an issue around the world. And so, I think there’s a good argument for it.
David Redekop: Right. Now, speaking of of adoption and with your background and having lived and breathed this in the DNS world for all this long, if there’s one thing you could force upon the world as it relates to DNS, would there be anything that comes to mind?
Tim Adams: You know, I just don’t have like authoritarian vibes in me. So, when people ask me questions about what would you force everyone, I, you know, I don’t know. That’s a really good question. You know, from a protection standpoint, one of the things that I I like about what you’re doing with Do Not Talk to Strangers and the whole concept of, you know, zero trust DNS is moving away from the idea that known threat tracking is good enough. And so, I just think, you know, people having the right mentality of yes, we can, you know, take these threat feeds and threat intelligence and we can design sort of like this machine learning, you know, real time. I think people have to think beyond the threat feed and what are the strategies that we can do? And what what can we put in place that shrink the attack surface from the unknown, right? Or against the unknown.
And and so that’s what I like a lot about the work that you’re doing and things that we’re doing around the concepts of our zero trust TLD control, concepts around, you know, how do we unclassified management and quarantine those kinds of things. Yeah. So, I think just just some mindset shift around recognizing that threat feeds alone are not good enough because we’ve seen a huge increase in the use of, you know, malicious domains that are used for hours, you know, day or even hours in some cases and moved on from. And by the time they’ve made it to, you know, a lot of people for the last several years the idea of newly registered domains has been, you know, it’s a good concept but has a lot of weaknesses because, you know, it takes people don’t realize it takes 20, you know, first of registry organization management. They they they don’t even necessarily in some cases, uh, when you look at country codes, they don’t even have to provide the information. And so, uh, it’s sort of like a voluntary matrix of providers that collect.
And some people would say, “Well, Tim, don’t you just, you know, use ‘who is’ data to to to find out if something is?” Well, people don’t understand, if you want a 10 millisecond response, everything that goes in that 10 millisecond response has to be done in nanoseconds, right? I have to make all these decisions with data centers. So, that data has to be kind of pulled out. It takes 24 hours plus, sometimes 3 days for some of those newly registered domains to hit list. It doesn’t protect you against, you know, just FQDNs of existing apex domains that aren’t newly registered. So, what do you that completely ignores that concept. So, that’s something we focused really big on on blocking unclassified and how to make that, you know, domains that just haven’t been seen before, really, which is really what they are, whether they’re the subdomain of a known apex or a brand new, you know, newly registered domain.
So, just the concept of, you know, how do we sort of shrink the attack surface, which is what I like about working in B2B or commercial side. It’s much more difficult on the residential side because it’s kind of you can’t, you know, someone who’s who’s, you know, a consumer working from home, the expectation is that the internet’s available to me. Well, in a corporate world, it’s less. You typically are using the same services, the same domains day after, you know, day in and day out. There’s there’s less of a need in many use cases to sort of have the entire web available at any given moment. So, how do we shrink that? And, yeah, so yeah, just I guess back to your original question, just thinking about security outside of the traditional threat feed scope. So,
David Redekop: yeah. And what the other thing that I noticed is that you offer a resource record control type as well. And we have in in the last little while experimented with that with great success where a typical network of user devices that don’t house servers or any backend infrastructure, user devices with computers, with smartphones, don’t need TXT records or null records or, you know, all the private types. They need A and quad A records and that’s it. And so, I noticed that you also offer resource record type control. How did you arrive at that conclusion? Was there already threats that were abusing that? Because I thought that was relatively modern that non-typical records were used abusively.
Tim Adams: Well, a lot of that was when we look at like DNS exfiltration, right? So, traditionally, the tools that do that a lot of times are built around the null record or or the text record. Those were the two easiest because the payloads were more flexible, right, for the exfiltrator when you and of course, now there are a lot there are tools that will do that with the A records today too. So, you can it is it’s a little bit easier to notice in a lot of cases because the amount of queries are much higher. But, yeah, so a lot of that just came in in the the concept of and then back to your to the idea of do we really need this?
So, so beyond moving beyond exfiltration, there are use cases where you don’t need different record types, right? Everyone like you said needs A and, you know, quad A record types. But outside of that, you know, text records have and we’ve, you know, text records, there are legitimate use cases for text records. There are a lot of applications that sort of use DNS in telemetry in certain ways that not necessarily malicious, but it’s not obvious from from from an end user standpoint either. So, I wouldn’t it’s sort of a gray area. So, yeah, generally speaking, you can restrict the record types for a lot of user classes without negative impact. So,
David Redekop: yeah, I I found a really interesting research that I did only a few months ago that across our entire client base, we’re talking about five domains that legitimately use TXT records for things like license validation and so forth. So, it was very difficult to find those even. And so, once I saw how small that number is, we said, “It makes perfect sense to just not enable that unless you are a server backend and you’re doing, you know, your ACME challenge via, you know, DNS TXT records to verify ownership and so forth.” But beyond that, it’s it’s really not that common. And of course, for MX records or for SPF validation, DPM and so forth.
Tim Adams: MX records on your network and you’re using, you know, Office 365, that should be a concern. Like, something,
David Redekop: right. So, I think, you know, having visibility into, having visibility which is we we really try to focus on visibility. We’re doing some really cool things the rest of this year around tracking, you know, NX domains and surveillance and bringing that more, you know, making it easier to sort of visually see the impacts of some of those. But, yeah, and and we make it easy to see different, you know, record types across your network as well. It’s one of our insight tabs. And so, yeah, there’s certainly use cases where, you know, record types can be indicators, right? So, people don’t that way, but it really can be. So,
David Redekop: yeah, absolutely. Okay, here’s a tough one. Fast forward 5 years. It’s 2030.
Tim Adams: Oh, man.
David Redekop: What’s what’s a terrible dystopia we are sleepwalking into that we need to pay close attention to as internet defenders, maybe not just in the DNS space, but broadly speaking?
Tim Adams: Man, you know, that’s a good question. And and I don’t know that there’s a global answer for that because I think I don’t know if it’s a debate, but there’s there’s a lot of, if you, I guess it is in a way, there’s a debate around security versus privacy, right? So, you’re seeing a lot of that. Is that kind of what you’re referring to in terms of like
David Redekop: I I I have this concern around the mix or the balance between security and privacy, where that gets offloaded to, where the TLS third-party termination happens, centralization of the internet, all of the things that where the economic interest is in contrast to what we are as people who love freedom for, you know, our generation and generations to follow. That’s where I feel like there’s tension, but I’m not sure how far any of us can see in the fog.
Tim Adams: No, I I, you know, my prediction is that we wind up, and it’s already happening today, uh, that we wind up with sort of, you know, regional standards for what privacy is and what those protections are. If you a lot of people don’t realize this, but in the UK, for example, iCloud backups are not protected by end-to-end encryption as of this year. So, if you’re an iCloud user, if you’re an iOS user in the US and you have end-to-end encryption on your iCloud backup, no one, even Apple themselves, cannot see your data, right? But if you go into the UK, legally that has been put on hold where Apple runs a completely different standard in the United Kingdom. So, yet the data is still encrypted, but Apple has access to the key. What that simply means is that in the UK, you can get a warrant and Apple has to essentially give your data over. In the US, you get a warrant. Apple gives your data over, but no one can see it, right? So, that with come comes without the key because they don’t they don’t have it.
And and you wind up with with, and it’s very interesting, right? So, if you go to the United, if you go to Europe in general, right, they they kind of have this uh it’s it’s just two completely different approach. They have very low tolerance for commercial tracking and commercial collection of data, but they have much higher tolerance for government access to data. And the US, it’s completely opposite. The US has very high tolerance for commercial tracking of data and very low tolerance for the government, you know, regulation or collection or the ability to of that. So, I think you’ll wind up with regions in the world where technologies that support end-to-end encryption have, you know, different impacts and different standards.
And so, you know, you may have places where your data is safe safer from Meta, but it’s less safe from your government. And then some regions where, well, well, you know, the corporations have all access to your data, but the government doesn’t. And, so, that’s, you know, something that I think is already happening today. I think you’re going to see a lot more of that. And, you know, every everyone’s going to, and you’re seeing more and more of this, too. Like, even us, for instance, we house European data in Europe. Anything that comes from a European resolver stored in Europe. There are other countries that are pushing the same type of concept where some countries in the Middle East are going to start wanting very soon their data in, you know, it’s got to be in country where they want access to it because it’s I don’t know safer there.
So, you you’re going to continue to see standards like that, and just just sort of fractured. I don’t think we’ll ever get a global standard because you you can’t get get people in the 50, you know, US states to agree. You can’t get people in Europe to agree on anything. So, you’ll never get a global standard. But you’ll have just these regional standards that, you know, companies sort of have to navigate around. And no, no one’s going to operate outside of the law in a specific country because you just won’t be able to operate there. You have to op we we all have to operate within the legality of the. You either have a choice. You either operate within the law or you don’t operate in that country at. So, if you want to be in country, you have to operate in that country standards. And so, yeah, so I think that’s that’s kind of where we’re headed.
And in some ways, you know, it’s kind of an interesting experiment. You you can kind of watch and you’ll be able to observe sort of the things that happen. I don’t trust, you know, we talked about this the other day. I think I was, you know, I was sharing some comments back with Andrew on this re-encryption and, you know, there’s certainly everyone wants to protect or or prevent the abuse of of users who are more likely to suffer that, right? But at the same time, we also know that privacy is protection that people can be at risk from data being exposed. And so, you know, I I think that it’s just something that we have to to to be concerned with and it’s an important debate. These are important experiments that that essentially going to be taking place. And, you know, we’ll see how it all turns out,
David Redekop: right. Yeah. The the ongoing experiment that has been going on for a number of years now. I’ll never forget the one time that either I read or or heard Moxie Marlinspike, the um founder of the Signal protocol, when he said that for liberty to exist, it must be possible to commit a crime and get away with it. And the difficulty in that statement is that if we want privacy for ourselves, by extension, we’re going to have privacy for the criminal. And so, there’s going to be this non-stop tension between law enforcement that wants less privacy and citizenry that wants more privacy. But I think we’re going to have to continue to navigate that in a way that serves us well. But the most important thing is for us to not ever have us or our children be unaware what’s at stake.
Tim Adams: You you raise a lot of good points there. One of the biggest, obviously, the biggest issues around end-to-end encryption is the use case of it for CSAM. And, you know, obviously, that’s something that we would all, if if we could do anything and wave a magic wand, we would obliterate that from existence and never becoming existence. But we we live in a a world where, you know, evil does exist and there are bad people who do evil things. Um, and you make a point about law enforcement. Obviously, if you look at the law enforcement or government side or intelligence community side, they always want more access to data. But the reality is, and I I looked at this the other day, even as we’ve had an an increase in end-to-end protection, every year we have thousands of more arrests of CSAM abuse cases from the internet because we have met there all law enforcement has a lot of tools, right? There’s all kinds of metadata. Uh, there is there’s, you know, in in person, there’s informants, there’s surveillance, there’s all kinds of things that are still. There’s not one tool that is used to make a case. We’ve seen cases where the intelligence community and law enforcement have run TOR exit nodes and gained access today. They probably still do, guarantee they still do today. We’ve seen very controversial cases where law enforcement has taken over CSAM sites and ran them for a month or two and collected. There’s certainly a lot of controversy around that. It’s great that we can catch the, you know, bad guys, but, you know, what is the controversy around leaving that material available for a while? Certainly that’s not without controversy.
David Redekop: I did have one question for you that I noted here. Founders are never perfect in my experience. Is there any one regret of a feature that you built or a thing that you did one time and you woke up at 3:00 a.m. like, “Oh, darn.”
Tim Adams: All the time. Um, yeah, you know, I I I tell people all the time this last year, 2025 was probably the first year I started to actually like my product. And so, you know, there there are things some things just take time. A lot of times we are our biggest critics, right? We um, but there there are a lot. In fact, there’s a a way that we do things today that I would do differently. And we do we do refactor things all the time. Sometimes they’re behind the scene things that didn’t really impact the end user. Sometimes there are ways that we do things in the UI that we figure out, “Hey, this is sounded good on in in my head and when I wrote it out and had a couple couple conversations.” But when we deployed it in mass and people want to use it another way, and so then you got to go back and make changes. And we’ll we’ll make some change. We have some scheduled changes for next year on how we do things with allow-block list and to make them even more object-based and better and easier for for end users. And so, you know, that that’s something that we’re going to be, you know, really really focused on next year. But, yeah, no, all the time. I mean, there’s all things that we do all the time that we wish we might have done differently. So, yeah.
David Redekop: Well, an innovator entrepreneur, it’s for an innovator entrepreneur, it is impossible not to make mistakes because that is the very act of learning, right? You don’t have fear of trying something out because you see that this could provide value. And rather than analyzing things to the point of paralysis, you’re like, “Let’s do it.” And then you find out very quickly what works, what doesn’t.
Tim Adams: Even just the concept of Scout DNS itself, you know, I had been in running I had done general IT, you know, my my when in my, you know, sort of foray into general IT management, if talking about like servers and end users and just IT, you know, network man or just IT management general. My last major project before getting involved with networks and Scout DNS was migrating NT4 to NT2000. So, it had been a while. And I had kind of dove into networks and spent, you know, 10 15 years just dealing with networks. And and then getting back into specifically, you know, recursive DNS, you can even, you know, spend 15 years in network engineering and think you know DNS. You don’t really know DNS until you’re in DNS. And so, I’ve had I’m always learning uh learning things, you know, um, and so that’s, you know, early on I faced a lot of imposter syndrome just getting into dealing with with Scout DNS. And still and still hit that sometimes today. You know, it’s just I think it’s something that we all face because you the more you know the more you don’t know the more you know you don’t know. And and so we’re always trying to learn. But, yeah, no, it’s it’s it’s it’s a challenge.
David Redekop: Right. Absolutely. Tim, if there was one domain name that you could block in the whole world, what would that be?
Tim Adams: One domain name that I could block in the whole world. What would that be? You know, I don’t know if it
David Redekop: I’ll I’ll go first if you want me to and I’ll give you the reason why. I want to give some backdrop to this first. There was a gentleman that recently asked for my help to get onto Facebook as to set up an account. And he needed it for marketplace reasons. And he had never been on Facebook before. Okay. But he’d also lived most of his life with a computer with, you know, let’s say without a protective resolver of any kind. And so, when he walked through the sign-up process, he was literally jaw-dropped to the floor to see all the things that Facebook already knew about him when he never had a WhatsApp, never had an Instagram, never had a Facebook account. Okay. Where does that come from? That comes from one FQDN. If I could block out the whole world, connect.facebook.net.
Tim Adams: Yeah.
David Redekop: Because any website that says that has the little Facebook icon that just by your browser visiting that website, it actually registers with Facebook who you are, and that profiling gets collected. And so, without you even signing up for the services, they know who you are. So, that that’s that’s my background on why that would be the one.
Tim Adams: I was going to say, you know, probably, you know, something involved with tracking and monitoring only because even even when that’s done commercial, we know that, you know, governments purchase that data, too. So, we they kind of work around. And there’s been cases in the US where intelligence agencies have bought, and we couldn’t, you know, we’re not going to surveil the end user, but we’ll buy from the people who did surveil the end user. And so, you know, that certainly does get into a very gray situation. So, that no, that makes a lot of sense.
Yeah, I I honestly don’t. I don’t I think I I have a LinkedIn account, obviously. I have a couple of social media accounts just to have them because you have to have a personal account in some cases to have the business account. But I don’t have a social media page. I don’t spend time on social media. I don’t scroll through social media. I don’t post pictures of myself on social media. I don’t follow my family on social media. I talk to them a same person. I just am not a big social media guy. And I think the world would be better off without it. But, you know, it is what it is. So,
David Redekop: Tim, there’s not enough people that think that way today. And I think that’s part of the issue. I’m in 100% agreement with you. And I’m finally at the stage where a few of our sons are also late teenagers that are now of the same mind. The fact that they’re teenagers and recognizing it and writing about it and sharing it with their peers, to me is just like, “Wow.” But it’s so sad that it took this long for this much time to be wasted for no return for them. Like, it was not an investment of time that gave them a reward of any kind. It was literally monetization of short-term dopamine creation. That’s what the system is about. So, this is not a social media anti-social media show, but I’m telling you, I’m so excited, Tim, when I find out that other people recognize the danger of what has been created and that we need to push back.
Tim Adams: Yeah. And you’re not going to eliminate these things. And I and I’m not even a fan of necessarily like, you know, regulation to ban these things. But I I am a big fan. And this goes back even to talking about cybersecurity in general and things we can do, privacy versus security, and what are the things and tools that we can equip parents and companies and CEOs and IT managers on just best practices on how to be safe on whatever it is that you’re doing, whether you are, you know, browsing the web, you’re, you know, you’re, you know, whether you’re using social media. How can we educate, you know, stakeholders and then when you have kids, parents obviously are key stakeholders. How can we educate them on the the things that happen when you do use it? So, if you’re going to use it, understand how it affects you and what can you do to lessen those effects, right? So, those are very very important things.
And that goes again back to the security versus privacy. If we’re going to have these things, how do we lessen their effect? How do we educate people? It goes goes into scamming epidemic of elderly folks who have been impacted and scammed and even outside of that small businesses, nonprofits. We we, you know, we do a lot of work with nonprofits. I can give you all kinds of stories of nonprofits falling for abuse and, you know, just just being scammed and losing tens of thousands of of donor dollars. And, yeah, so, you know, awareness. At the end of the day, all of the tech is great. We always, I think anybody responsible points back and says, “People are the strength and the weakness of anything in the chain.” And so, we we must constantly be finding ways to improve that portion of it.
David Redekop: Yes, 100% agreed. 100% agreed. Tim, one last question. I meet someone tomorrow that’s a managed service provider, and you’re you have a 30-second opportunity to tell them why they should consider replacing or adding Scout DNS as a protective resolver. What do you say?
Tim Adams: Yeah, that when we when we talk to MSPs, there are usually kind of three things that we that we hear from our customers. Obviously, the first is a product. You know, we’ve built a really good product. We have great reviews if you look us up on Reddit, on G2, on Channel Program. People say generally say nothing but nice things about about Scout DNS because we are a product first company. We have very small marketing presence. We we built our business on word of mouth recommendations. And so, the only way you do that is by building a great product. I’m not going to go and raise a Series A for $10 million to go to $200,000 trade shows, but I can build a great product and get people to talk about it after they use it. And so, we really do focus on product.
The second big thing really is is our billing model. One of the things that MSPs hate the most is contracts. Being locked into a contract. And we hate contracts. We know MSPs hate contracts. We are a month-to-month service. We earn our our, you know, the business of our MSPs. We earn them by that’s a trust thing, right? We earn that by saying we believe in the product. We believe in our service. We believe we will retain you just by merit alone, right? We’re not going to hold on to somebody via contract. In fact, we do have some commercial contracts for commercial users. But I’ve had people who, “Well, we we didn’t mean to renew. It’s a month later.” That’s okay. We we refund you. We let you. We’re we’re not a business that’s trying to, you know, trap people into contracts.
Especially for MSPs, it is month-to-month. There is no contract. And so, that has been it’s usage-based billing. You pay only for what you use. You know, if you look at MSPs, billing reconciliation can be a nightmare for some products. With us, we tell you, we show you, tell you, show you exactly what you use. You pay for only what you use on a given month. Clients haven’t checked in. You don’t pay for those, right? So, if you’re if if you get a reduction in an end user, you don’t even have to tell us. We recognize that you get a reduction because of your use. So, that’s a big thing.
And then finally, last but not least, the thing that we can control the most is service. Being being, you know, prompt on customer service, being prompt whether you want a QBR or you want a a biannual. Some people like to do it twice a year. So, if you want to do it, you know, four times a year, we’re we’re very big on our our quarterly reviews. We really do want to hear from our MSPs. Since I still run product, I make virtually all those calls. I mean, I probably sat in on a thousand customer plus calls, you know, 1,500 customer calls last year. A large percentage of those with MSPs about what can we do with our product to make it better. And I want to hear directly from those MSPs. And my pledge is to stay involved with that as our company grows.
And so, yeah, you know, the product, our our usage-based billing and and month-to-month, and then the service that we provide. I think those are the reasons why folks tend to and I can give you technical reasons. You know, we have a disable on our and our agent that MSPs love. We have autofail open. Our relay is the most capable relay, I think, on the market. The solution things that it does, our insight tabs, I think we provide some of the better the best insights and the way to work through those. Our integration with Entra and AD don’t require syncing tools. And there’s a lot of technical reasons. And we I’m more than happy to show those on demo call. But just from, you know, kind of the 50,000-foot level, the product, the service, and then our our billing model, I think is what MSPs really love about Scott DNS.
David Redekop: Yeah. And I can vouch for it firsthand a month ago not knowing anything about you to now having tried it out and having chatted with you and now having interviewed you. So, this is fantastic. Thank you team Tim and team that’s behind you working with you. Absolutely. Keep on keep on doing good work. And we’ll I look forward to seeing what we can do together because I think there’s some pretty exciting synergies outside of the fact that “Adam” is in your name and in ours. So, Tim Adams, Scout DNS. We’ll see you again.
Tim Adams: Thanks, David. Thanks for this opportunity. Yeah, look forward to continuing our our relationship. So, sounds great.
David Redekop: Absolutely. Bye for now. Take care.
Narrator: The Defenders Log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real-world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.