NXDOMAIN data leakage prevention

daniela daniela daniela.daniela.daniela.daniela at gmail.com
Mon Oct 1 11:39:06 UTC 2018 

This is a very serious problem. I would like insight as well.
I have noticed in my logs such activity e.g from cloudfront.net
<http://internal/tab?url=http%3A%2F%2Fcloudfront.net%2F&referrer=https%3A%2F%2Fmail.google.com%2Fmail%2Fmu%2Fmp%2F411%2F%23co&target=_blank>
and other.

There is no silver bullet we all know that. The domains hosting malicious
programs (and their social engineering) should as far as possible not
reachable from the machines and programs should not be able to install in a
straightforward manner anyway. The known bad ip ranges should be dropped.
The questionable domains should be dns blackholed. And then what? The well
known domains? What shall we do, cut off most of the internet? One may as
well pull the plug, it’s faster.

Sometimes i wonder if in a few years we will be back to a host file with
the few thousands of relatively trustworthy hosts we care for. Then again,
who knows what the next machine does. My packets have to hop to a next
machine, i dont control the internet :(

On Monday, October 1, 2018, Chris via Unbound-users <
unbound-users at nlnetlabs.nl> wrote:

> I was reading a disturbing article on ways that DNS can be used to get
> data past firewalls and for malicious programs to communicate with a
> command and control center via DNS NXDOMAIN.
>
> Right off hand I dont see a way to block this ? Looking at my NXDOMAIN
> lookups its quite pervasive and coming from a large number of sources. Its
> clearly being used by A LOT of people.
>
> Is there a way I can use Unbound to mitigate this threat ? This is a
> serious issue because i don't see how to block this.
>
> https://www.plixer.com/blog/detecting-malware/security-vendo
> rs-teaching-bad-actors-how-to-get-past-firewalls/
> <http://internal/tab?url=https%3A%2F%2Fwww.plixer.com%2Fblog%2Fdetecting-malware%2Fsecurity-vendors-teaching-bad-actors-how-to-get-past-firewalls%2F&referrer=https%3A%2F%2Fmail.google.com%2Fmail%2Fmu%2Fmp%2F411%2F%23co&target=_blank>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/fbd5ef6d/attachment.htm>

More information about the Unbound-users mailing list