Data exfiltration using DNS RPZ

Grant Taylor gtaylor at
Sun Jun 17 17:01:50 UTC 2018

On 06/17/2018 09:43 AM, Blason R wrote:
> Can someone please guide if DNS exfiltration techniques can be 
> identified using DNS RPZ?

I don't think that Response Policy *Zone* can do what you want to do. 
(I've often wondered about this my self and have spent some time 
thinking about it.)

> Or do I need to install any other third party tool like IDS to identify 
> the the DNS beacon channels.

I don't think you need to replace BIND with another tool.

BIND has a relatively new feature called Response Policy *Service* that 
I think is well suited to this.

I think of BIND's RPS much like I do Sendmail's Milter or Cisco' WCCP, 
in that they provide a way for BIND (Sendmail, Cisco routers) to ask 
something else to do the filtering for them.

Queries come to BIND and it serves them mostly like normal with the 
exception being that it gives the RPS daemon an opportunity to do some 
more intelligent filtering.  The RPS daemon can (theoretically) do some 
analysis on the queries including number of queries (to a given 
(sub)domain), the length of the queries, the type and length of the 
reply, etc.

In short, RP*S* allows active processing to be done on the query.  Where 
as RP*Z* is only doing a simple textual match

BIND includes the RPS interface for other RPS daemons to interact with. 
I believe there is at least one commercial RPS daemon.  I'm not aware of 
any open source RPS daemons (yet).

> Has anyone used DNS RPZ to block/detect data exfiltration?

I don't think that RPZ is a good candidate for this, given it's textual 
matching.  I do think that RPS will be a MUCH better match for this as 
it matures.

Grant. . . .
unix || die

More information about the bind-users mailing list