This document discusses DNS security strategies. It covers building blocks like name servers, zone files and configurations. It discusses defenses against disasters and errors like geographic provisioning and change control meetings. It also covers securing hardware, operating systems, monitoring DNS, reducing the attack surface by separating roles, and specific defenses for roles like recursive servers, authoritative servers and hosting providers. Finally, it discusses securing each layer of DNS transit and endpoints using mechanisms like ACLs, DNSSEC, rate limiting and encryption.