NXDOMAIN data leakage prevention

John Peacock jpeacock at messagesystems.com
Mon Oct 1 17:33:30 UTC 2018

It's not just NXDOMAIN; this exfiltration vector is simply a fact of life
with a distributed "database" like DNS.  For example, consider a synthetic
CNAME query from an already infected system that encodes dynamic
information in the query itself; then the answer to the CNAME could be
updated instructions for the exploit code.

You'd almost have to log all queries and try to analyze them on the fly for
anything that was "suspicious".


On Mon, Oct 1, 2018 at 1:22 PM Chris via Unbound-users <
unbound-users at nlnetlabs.nl> wrote:

> Welllll.... Ive done a lot of looking around and I just dont see any
> solution to this issue. Im not concerned with DoS attacks, those i could
> deal with. Im concerned for the stunningly stealthy 5 or 6 NXDOMAIN
> lookups from a scary actor. That kind of thing could transmit a small
> amount of really damaging info. Or.. A company using this to monitor
> each client with pings once a minute. The uses of this low rate
> communications channel is Unbounded and truly scary.
> I know this has been around a long time. Im sorry for my stunned
> amazement, I just ran into this.
> No matter how I rack my brain, I can't think of any way around this.
> Short of a registry of every domain before they can be used. So nothing
> should ever come up NXDOMAIN. Even then,, it will get abused.
> Man, just when I thought I was happy with TLS 1.3 for DNS and DNSSEC.
> Its just never ending.
> On 10/1/2018 4:03 AM, Chris via Unbound-users wrote:
> > I was reading a disturbing article on ways that DNS can be used to get
> > data past firewalls and for malicious programs to communicate with a
> > command and control center via DNS NXDOMAIN.
> >
> > Right off hand I dont see a way to block this ? Looking at my NXDOMAIN
> > lookups its quite pervasive and coming from a large number of sources.
> > Its clearly being used by A LOT of people.
> >
> > Is there a way I can use Unbound to mitigate this threat ? This is a
> > serious issue because i don't see how to block this.
> >
> >
> https://www.plixer.com/blog/detecting-malware/security-vendors-teaching-bad-actors-how-to-get-past-firewalls/
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/b9270da3/attachment.htm>

More information about the Unbound-users mailing list