Yup. I already restrict outbound DNS queries to authorized internal DNS servers. But what the article makes clear is that strategy isn't sufficient to protect against this kind of communication.
Oy. On Fri, Oct 16, 2015 at 11:21 PM, Kurt Buff <[email protected]> wrote: > The problem is that the domain being queried will be reached with a > recursive query, and will include in the response (especially in TXT > items) the C2 data. That won't be mitigated by choosing specific DNS > servers for your queries, unless your specific DNS servers have some > way to scrub the query results, or to deny them for known bad domains. > > Kurt > > On Fri, Oct 16, 2015 at 8:17 PM, Micheal Espinola Jr > <[email protected]> wrote: > > Anything can be "tunneled". In this case, restrict DNS to specific > servers > > (internal and/or external) to prevent rouge connections. > > > > -- > > Espi > > > > > > On Fri, Oct 16, 2015 at 7:59 PM, Richard Stovall <[email protected]> > wrote: > >> > >> I had not heard of this before. > >> > >> https://zeltser.com/c2-dns-tunneling/ > >> > >> How in the world can most SMBs ever begin to beat back this kind of > stuff? > > > > > > >
