Within the industry there’s been a lot of talk lately around DNS over HTTPS (DoH) and how adversaries use the channel to perform C2 DNS lookups and exfiltrate data via tunneling without detection by security apparatus.
Encrypted DNS Protocols
- DNS over HTTPS (DoH)
- DNS over TLS (DoT)
- DNSCrypt
DoH and DoT operate over TCP ports 443 and 853 respectively by default, and DNSCrypt services commonly run over both TCP and UDP port 443. The three protocols are different but achieve the same goal — DNS queries are passed over a secure channel to a server that in-turn provides a response.
Controlling DNS
Many enterprise networks are blind and don’t control and prevent unknown outbound DNS Queries. Ultimately, to solve the visibility and enforcement problem it’s important to establish choke points and block unauthorized channels, such as DoH, DoT, DNSCrypt, Tor, I2P, and Freenet.
Shield53 offers many strategies to enforce DNS Filtering controls to prevent malicious and unwanted websites. Ask your CISO today if egress DNS traffic is passing through a central control layer where it is inspected and can be blocked in real time.