<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">DNSSEC can be used for infiltration/tunneling (when you get data from a DNS servers) but there is a catch that such requests can be easily dropped.</div><div class=""><br class=""></div>Vadim<br class=""><div><blockquote type="cite" class=""><div class="">On 17 Jun 2018, at 09:44, Sten Carlsen <<a href="mailto:stenc@s-carlsen.dk" class="">stenc@s-carlsen.dk</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">Interesting, the Dnssec records with their by definition random
and large content seems to be the most interesting vehicle, at
least at first sight.</p><p class="">Will e.g. the google DNS server or any other resolver deliver and
fetch this data? At the moment I can't think of any reason it
should not do so.</p><p class="">To really block this, I think you would need to actually verify
the correctness of the data.<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 17-06-2018 08.43, Blason R wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:CAPPXLT-7c49YX+fzWzmy+JwJJ78rRtaxvL_mmutQGZap53HWfg@mail.gmail.com" class="">
<div dir="ltr" class="">Hi Team,
<div class=""><br class="">
</div>
<div class="">Can someone please guide if DNS exfiltration techniques can
be identified using DNS RPZ? Or do I need to install any other
third party tool like IDS to identify the the DNS beacon
channels.</div>
<div class=""><br class="">
</div>
<div class="">Has anyone used DNS RPZ to block/detect data exfiltration?</div>
</div>
<!--'"--><br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!" </pre>
</div>
_______________________________________________<br class="">Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" class="">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br class=""><br class="">bind-users mailing list<br class=""><a href="mailto:bind-users@lists.isc.org" class="">bind-users@lists.isc.org</a><br class="">https://lists.isc.org/mailman/listinfo/bind-users<br class=""></div></blockquote></div><br class=""></body></html>