On 12/03/2019, 20:37, "Doh on behalf of Stephane Bortzmeyer"
<[email protected] on behalf of [email protected]> wrote:
On Tue, Mar 12, 2019 at 04:55:11PM +0100,
Neil Cook <[email protected]> wrote
a message of 22 lines which said:
> Actually many enterprises (particularly banks etc.) do not allow DNS
resolution directly from employee endpoints.
They block UDP/53, which is not the same thing. Malware or
non-cooperating applications can do name resolution by other means. I
still do not understand why people have a problem with DoH whch did
not already exist before with
my-own-name-resolution-protocol-over-HTTPS.
It is common practice for Malware operators to use bona fide DNS infrastructure
(including resolvers) to communicate with the malware application. One useful
example are DGAs [1]. This practice is cheaper and more robust for Malware
operators than setting up their own DNS resolver service, not to mention
implementing a proprietary protocol. It also helps isolate the malware operator
from the malware as these communications all happen through legit services (all
the malware operator has to do to trigger the resident malware is to register a
domain).
DoH, and specifically the (intended) inability to distinguish DoH from other
traffic, makes this practice much harder to detect and to block - which is why
this a problem that did not already exist before.
[1]
https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
_______________________________________________
Doh mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/doh
Yishai
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
