NXDOMAIN data leakage prevention

Chris Public2 at xymox1.com
Mon Oct 1 17:21:44 UTC 2018

Welllll.... Ive done a lot of looking around and I just dont see any 
solution to this issue. Im not concerned with DoS attacks, those i could 
deal with. Im concerned for the stunningly stealthy 5 or 6 NXDOMAIN 
lookups from a scary actor. That kind of thing could transmit a small 
amount of really damaging info. Or.. A company using this to monitor 
each client with pings once a minute. The uses of this low rate 
communications channel is Unbounded and truly scary.

I know this has been around a long time. Im sorry for my stunned 
amazement, I just ran into this.

No matter how I rack my brain, I can't think of any way around this. 
Short of a registry of every domain before they can be used. So nothing 
should ever come up NXDOMAIN. Even then,, it will get abused.

Man, just when I thought I was happy with TLS 1.3 for DNS and DNSSEC. 
Its just never ending.

On 10/1/2018 4:03 AM, Chris via Unbound-users wrote:
> I was reading a disturbing article on ways that DNS can be used to get 
> data past firewalls and for malicious programs to communicate with a 
> command and control center via DNS NXDOMAIN.
> Right off hand I dont see a way to block this ? Looking at my NXDOMAIN 
> lookups its quite pervasive and coming from a large number of sources. 
> Its clearly being used by A LOT of people.
> Is there a way I can use Unbound to mitigate this threat ? This is a 
> serious issue because i don't see how to block this.
> https://www.plixer.com/blog/detecting-malware/security-vendors-teaching-bad-actors-how-to-get-past-firewalls/ 

More information about the Unbound-users mailing list