NXDOMAIN data leakage prevention

Amanda Constant amanda.constant at secure64.com
Mon Oct 1 17:30:19 UTC 2018


I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

On Oct 1, 2018, at 11:27 AM, Amanda Constant via Unbound-users <unbound-users at nlnetlabs.nl> wrote:

> I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.
> 
> Amanda
> 
> On Oct 1, 2018, at 5:39 AM, daniela daniela via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
> 
> This is a very serious problem. I would like insight as well. 
> I have noticed in my logs such activity e.g from cloudfront.net and other. 
> 
> There is no silver bullet we all know that. The domains hosting malicious programs (and their social engineering) should as far as possible not reachable from the machines and programs should not be able to install in a straightforward manner anyway. The known bad ip ranges should be dropped. The questionable domains should be dns blackholed. And then what? The well known domains? What shall we do, cut off most of the internet? One may as well pull the plug, it’s faster. 
> 
> Sometimes i wonder if in a few years we will be back to a host file with the few thousands of relatively trustworthy hosts we care for. Then again, who knows what the next machine does. My packets have to hop to a next machine, i dont control the internet :( 
> 
> On Monday, October 1, 2018, Chris via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
> I was reading a disturbing article on ways that DNS can be used to get data past firewalls and for malicious programs to communicate with a command and control center via DNS NXDOMAIN.
> 
> Right off hand I dont see a way to block this ? Looking at my NXDOMAIN lookups its quite pervasive and coming from a large number of sources. Its clearly being used by A LOT of people.
> 
> Is there a way I can use Unbound to mitigate this threat ? This is a serious issue because i don't see how to block this.
> 
> https://www.plixer.com/blog/detecting-malware/security-vendors-teaching-bad-actors-how-to-get-past-firewalls/
> 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
> 
> 
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2669 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/7d9012a2/attachment.bin>


More information about the Unbound-users mailing list