Data exfiltration using DNS RPZ
Grant Taylor
gtaylor at tnetconsulting.net
Sun Jun 17 17:01:50 UTC 2018
On 06/17/2018 09:43 AM, Blason R wrote:
> Can someone please guide if DNS exfiltration techniques can be
> identified using DNS RPZ?
I don't think that Response Policy *Zone* can do what you want to do.
(I've often wondered about this my self and have spent some time
thinking about it.)
> Or do I need to install any other third party tool like IDS to identify
> the the DNS beacon channels.
I don't think you need to replace BIND with another tool.
BIND has a relatively new feature called Response Policy *Service* that
I think is well suited to this.
I think of BIND's RPS much like I do Sendmail's Milter or Cisco' WCCP,
in that they provide a way for BIND (Sendmail, Cisco routers) to ask
something else to do the filtering for them.
Queries come to BIND and it serves them mostly like normal with the
exception being that it gives the RPS daemon an opportunity to do some
more intelligent filtering. The RPS daemon can (theoretically) do some
analysis on the queries including number of queries (to a given
(sub)domain), the length of the queries, the type and length of the
reply, etc.
In short, RP*S* allows active processing to be done on the query. Where
as RP*Z* is only doing a simple textual match
BIND includes the RPS interface for other RPS daemons to interact with.
I believe there is at least one commercial RPS daemon. I'm not aware of
any open source RPS daemons (yet).
> Has anyone used DNS RPZ to block/detect data exfiltration?
I don't think that RPZ is a good candidate for this, given it's textual
matching. I do think that RPS will be a MUCH better match for this as
it matures.
--
Grant. . . .
unix || die
More information about the bind-users
mailing list