07-05-2019 07:05 AM
Some of you might have read recently about some malware that leverages DoH:
So we're all asking ourselves here, what next? How do we protect against this? You can't just block port 443.
Are we going to have to rely on firewalls to do https inspection and look for "dodgy" DNS queries embedded inside the https data stream? That sounds VERY expensive to me.
We have to find a way to protect organisations from this threat, at the moment it seems to rely on ensuring all your browsers have DoH disabled, but how do you enforce that across the myriad of browsers and devices inside organisations these days?
Unless I am missing something, it feels like the genie has been let out of his bottle, and I have no idea how to get him back in!
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
11-27-2019 04:29 AM
As I think as I just replied to your other post, the approach we've taken is to block all of the DoH providers we can identify via a RPZ policy, and where possible the IPs at the firewall as well. For Malware you can't use a canary domain so treat DoH providers like any other C&C channel and play whack-a-mole and block as you identify them