Reply

DoH malware - how do we protect against these threats?

Expert
Posts: 188
2946     0

Some of you might have read recently about some malware that leverages DoH:

 

https://www.techspot.com/news/80791-meet-godlua-first-known-malware-leverages-dns-over.html

 

So we're all asking ourselves here, what next? How do we protect against this? You can't just block port 443.

 

Are we going to have to rely on firewalls to do https inspection and look for "dodgy" DNS queries embedded inside the https data stream? That sounds VERY expensive to me.

 

We have to find a way to protect organisations from this threat, at the moment it seems to rely on ensuring all your browsers have DoH disabled, but how do you enforce that across the myriad of browsers and devices inside organisations these days?

 

Unless I am missing something, it feels like the genie has been let out of his bottle, and I have no idea how to get him back in!

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

ment, block all of the known DoH providersRe: DoH malware - how do we protect against these threats?

New Member
Posts: 2
2947     0

As I think as I just replied to your other post, the approach we've taken is to block all of the DoH providers we can identify via a RPZ policy, and where possible the IPs at the firewall as well. For Malware you can't use a canary domain so treat DoH providers like any other C&C channel and play whack-a-mole and block as you identify them

Showing results for 
Search instead for 
Did you mean: 

Recommended for You