Data exfiltration using DNS RPZ

Vadim Pavlov pvm_job at mail.ru
Sun Jun 17 16:46:38 UTC 2018


Hi,

RPZ is just a simple feature to block/log/redirect DNS requests. It doesn't analyse DNS requests & responses and a client behaviour.
So RPZ can block a domain which used for DNS Exfil/Infil/Tunneling but to detect Exfiltration you should to use 3rd party tools/software (e.g. Infoblox Threat Insight).
+ do not forget that "qname-wait-recurse" should be switched off and a RPZ with such domains must be before (e.g. first) by order any zone which contains IP/NS based rules.

Vadim
> On 17 Jun 2018, at 08:43, Blason R <blason16 at gmail.com> wrote:
> 
> Hi Team,
> 
> Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
> 
> Has anyone used DNS RPZ to block/detect data exfiltration?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list