Data exfiltration using DNS RPZ
Vadim Pavlov
pvm_job at mail.ru
Sun Jun 17 16:52:38 UTC 2018
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.
Vadim
> On 17 Jun 2018, at 09:44, Sten Carlsen <stenc at s-carlsen.dk> wrote:
>
> Interesting, the Dnssec records with their by definition random and large content seems to be the most interesting vehicle, at least at first sight.
>
> Will e.g. the google DNS server or any other resolver deliver and fetch this data? At the moment I can't think of any reason it should not do so.
>
> To really block this, I think you would need to actually verify the correctness of the data.
>
> On 17-06-2018 08.43, Blason R wrote:
>> Hi Team,
>>
>> Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
>>
>> Has anyone used DNS RPZ to block/detect data exfiltration?
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
> "MALE BOVINE MANURE!!!"
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180617/5cf26330/attachment.html>
More information about the bind-users
mailing list