Data exfiltration using DNS RPZ
pvm_job at mail.ru
Sun Jun 17 16:52:38 UTC 2018
DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.
> On 17 Jun 2018, at 09:44, Sten Carlsen <stenc at s-carlsen.dk> wrote:
> Interesting, the Dnssec records with their by definition random and large content seems to be the most interesting vehicle, at least at first sight.
> Will e.g. the google DNS server or any other resolver deliver and fetch this data? At the moment I can't think of any reason it should not do so.
> To really block this, I think you would need to actually verify the correctness of the data.
> On 17-06-2018 08.43, Blason R wrote:
>> Hi Team,
>> Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels.
>> Has anyone used DNS RPZ to block/detect data exfiltration?
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list
>> bind-users mailing list
>> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
>> https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users>
> Best regards
> Sten Carlsen
> No improvements come from shouting:
> "MALE BOVINE MANURE!!!"
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users