The problem is that the domain being queried will be reached with a recursive query, and will include in the response (especially in TXT items) the C2 data. That won't be mitigated by choosing specific DNS servers for your queries, unless your specific DNS servers have some way to scrub the query results, or to deny them for known bad domains.
Kurt On Fri, Oct 16, 2015 at 8:17 PM, Micheal Espinola Jr <[email protected]> wrote: > Anything can be "tunneled". In this case, restrict DNS to specific servers > (internal and/or external) to prevent rouge connections. > > -- > Espi > > > On Fri, Oct 16, 2015 at 7:59 PM, Richard Stovall <[email protected]> wrote: >> >> I had not heard of this before. >> >> https://zeltser.com/c2-dns-tunneling/ >> >> How in the world can most SMBs ever begin to beat back this kind of stuff? > >
