NXDOMAIN data leakage prevention

Amanda Constant amanda.constant at secure64.com
Mon Oct 1 17:44:35 UTC 2018

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.


On Oct 1, 2018, at 11:33 AM, John Peacock via Unbound-users <unbound-users at nlnetlabs.nl> wrote:

> It's not just NXDOMAIN; this exfiltration vector is simply a fact of life with a distributed "database" like DNS.  For example, consider a synthetic CNAME query from an already infected system that encodes dynamic information in the query itself; then the answer to the CNAME could be updated instructions for the exploit code.
> You'd almost have to log all queries and try to analyze them on the fly for anything that was "suspicious".
> John
> On Mon, Oct 1, 2018 at 1:22 PM Chris via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
> Welllll.... Ive done a lot of looking around and I just dont see any 
> solution to this issue. Im not concerned with DoS attacks, those i could 
> deal with. Im concerned for the stunningly stealthy 5 or 6 NXDOMAIN 
> lookups from a scary actor. That kind of thing could transmit a small 
> amount of really damaging info. Or.. A company using this to monitor 
> each client with pings once a minute. The uses of this low rate 
> communications channel is Unbounded and truly scary.
> I know this has been around a long time. Im sorry for my stunned 
> amazement, I just ran into this.
> No matter how I rack my brain, I can't think of any way around this. 
> Short of a registry of every domain before they can be used. So nothing 
> should ever come up NXDOMAIN. Even then,, it will get abused.
> Man, just when I thought I was happy with TLS 1.3 for DNS and DNSSEC. 
> Its just never ending.
> On 10/1/2018 4:03 AM, Chris via Unbound-users wrote:
> > I was reading a disturbing article on ways that DNS can be used to get 
> > data past firewalls and for malicious programs to communicate with a 
> > command and control center via DNS NXDOMAIN.
> >
> > Right off hand I dont see a way to block this ? Looking at my NXDOMAIN 
> > lookups its quite pervasive and coming from a large number of sources. 
> > Its clearly being used by A LOT of people.
> >
> > Is there a way I can use Unbound to mitigate this threat ? This is a 
> > serious issue because i don't see how to block this.
> >
> > https://www.plixer.com/blog/detecting-malware/security-vendors-teaching-bad-actors-how-to-get-past-firewalls/ 
> >
> >
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2954 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181001/088c5ef3/attachment.bin>

More information about the Unbound-users mailing list