Can we block/detect DNS beacon channels?
Grant Taylor
gtaylor at tnetconsulting.net
Wed May 2 18:50:38 UTC 2018
On 05/02/2018 12:23 PM, Blason R wrote:
> I would really appreciate if someone can shed light; if DNS based
> advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels
> or Data Exfiltration through DNS queries.
If you know fixed aspects of the queries / responses, you can very
likely filter them with Response Policy Zone.
However I think you will need Response Policy Service to be able to do
more instrumentation / trending / tracking and filtering of unknown
ahead of time aspects.
I think of RPS for DNS much like I think of milters for Sendmail.
It's my understanding that RPS support is in BIND. However I'm not
aware of any free RPS filters. I think there is at least one commercial
implementation.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180502/e49125da/attachment.bin>
More information about the bind-users
mailing list