[Add] DNS visibility, malware C&C, exfiltration, etc.
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 29 May 2019 20:43 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA621201D0 for <add@ietfa.amsl.com>; Wed, 29 May 2019 13:43:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjWW0mCM0vXg for <add@ietfa.amsl.com>; Wed, 29 May 2019 13:43:35 -0700 (PDT)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 437D312012D for <add@ietf.org>; Wed, 29 May 2019 13:43:35 -0700 (PDT)
Received: by mail-qt1-x82e.google.com with SMTP id h1so4353517qtp.1 for <add@ietf.org>; Wed, 29 May 2019 13:43:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=scu1UcevQeq+jyjPpt1BY6DkhPbu6Vrkl8rO50Fa4uA=; b=TAYpCz3W0XPBJ/KYTVkCC4X2taO6ZNjNdPqcaRc2rmpj79dqXQYlr/ChWt76xF8ALM ovwBnbZygcQHgkP9/956pw9kd2vo/7suyT+Kk0Q6tpJEww9/A56gkBTaBaKEjuHYXhcb 3yI3U8pKDOVTnFaLd+mHfsk30NShVTqkbquNgwkm60QYqIJS3gd7x9vnNRz8sB28z0Pl eneDVEp/wgGxqR/dKzYgdvQ1in+E3ZaVbvf9fwJudAIYjAqAkouHPN1XAh+KeqIpdjYH im9I4coenEBobF2021QLpFbS3Q1ZqZpCkDFafn/qJJIVMD++yMLsfUivNAuhnaWR6f5E 0bMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=scu1UcevQeq+jyjPpt1BY6DkhPbu6Vrkl8rO50Fa4uA=; b=llMwMVS7HC2E380h/iWzQI8ksPMeRrysllguPtU+DXAsJyk3tYMq09Y8opF12+pbgo yPCIKACUhGhL1fmtV+GCQW39fMU3spF6SjvwTStTARBoZYfGE/7LJLY29a5JnhkSvEeU SbOqw9xc/aO6kPFGNDC7mVy938FXU1NS7vu/aZlsi1vVkaTJvgRNo9mnBmOsTkGMu0kA Y5ufZ3WtEVO9dGv7YDdMUG4BFp66EpvSr4p0LsZUvV63uisw6V2YiCwpMtvp7MVoD+LV jAticFOM3u4RsxLGU84f3VdNMlZ2qPSS1nCH2fMuSwp+cyJyT/Zpfn7A2SRczQEn/MKZ XzFg==
X-Gm-Message-State: APjAAAWJRaSxfjg79Q4Hnotl9yK66Gsp/OJDptruSs2rfWstrU9EbrVm MpIhF2qdVFJxhrBaosWxCk2IAhbSh0djbs9BcmcsiQ==
X-Google-Smtp-Source: APXvYqwSqZUYD+aqLh7w8956zeWjcdBFFN216kYTAUUY3SI/VvaCa2ma5EuDkBWDZ0x3hU6RUdXukymC//7WV0/RKPg=
X-Received: by 2002:ac8:5485:: with SMTP id h5mr36186qtq.253.1559162613835; Wed, 29 May 2019 13:43:33 -0700 (PDT)
MIME-Version: 1.0
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 29 May 2019 13:43:22 -0700
Message-ID: <CAH1iCiqScUQQ00G+9a8UxU30pmFGPvy0W=EMsbx98dtdYWCSKw@mail.gmail.com>
To: add@ietf.org
Content-Type: multipart/alternative; boundary="000000000000beac29058a0cd524"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/sRvhUdHrqgc74j1koDFVHUlwOic>
Subject: [Add] DNS visibility, malware C&C, exfiltration, etc.
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 20:43:38 -0000
<meta-comment> I'll preface this with an observation: If you are reading this, you very likely work in the Internet industry. If not, there's a good chance you rely on the Internet in some way for your livelihood, or things that are important to you. Please keep this in mind, in considerations for the impact of deployment of DoH/DoT. </meta-comment> One problem with DNS over HTTPS, is that it interferes with passive DNS monitoring by authorized parties in the DC/Enterprise use case. A quick survey of blog posts and academic papers on identification and response to malware command and control (C&C), shows that these detection/mitigation systems are heavily reliant on DNS, either directly or indirectly. In particular, DGA (domain generation algorithms) in malware typically can only be observed via their DNS queries, and takedown and/or interception requires that DNS visibility. In some cases, the visibility is local to the victim; in other cases, victims rely on feeds of domain names or IP addresses, to thwart or contain malware activity. The feeds ultimately can be traced back to some third party having the visibility into a DNS monitor. The privacy offered by DoH is a multi-pronged problem. If malware uses DoH, it can do "validation" of the cert for the DoH server it wants to try using, and refuse to use a spoofed replacement, preventing direct intervention as a method of obtaining DNS queries. And if the DoH traffic is going to an attacker-controlled server, the DNS queries are not visible. The second prong is, that if all DNS traffic is going over DoH, there is no way to identify legitimate query names. All HTTPS traffic looks the same, at that point, with no ability to differentiate DoH from regular HTTPS traffic, and no ability to detect change of DoH provider in use. If/when SNI encryption is employed, there is no visibility into names used on HTTPS connections, and it all looks like encrypted traffic to arbitrary IP addresses. Without this visibility, malware infections on user machines inside enterprise networks may go undetected. This can lead to deeper penetration into protected parts of such networks. The inability to block this DoH traffic is (IMHO) the crux of the problem. If DoT is used in its place, then enterprise networks can enforce DNS resolver choice at the network level, including via deployment of internal DoT resolvers which could still protect user privacy (modulo specific enterprises' policies). DoT or Do53 service to resolvers operated by the enterprise, enables the current visibility to be maintained, independent of the presence or absence of TLS to protect those connections. The existence of browsers which support DoH is the underlying problem. Even if DoH is not enabled by default, so long as user-input resolver choice is available, and so long as DoH can be enabled by unprivileged users, all of the above problems continue to exist, i.e. the ability for a user, or malware, to evade detection by DNS monitoring systems. A reasonable compromise might look like: - admin-only enabling of DoH/DoT (which can be a policy pushed to managed systems) - a hardcoded TRR list for DoH/DoT - a default-off configuration - the use of DoT exclusively (instead of DoH) for any non-TRR resolver entry Doing all of these may be enough to mitigate the risk posed by DoH. Doing anything less would not be, and would pose an existential threat to the security of enterprise and DC networks and hosts. (I'm still opposed to DoH generally, but I realize it has valid use cases -- it just needs to be restricted to ONLY those actual use cases to be seen as useful and legitimate.) Brian
- [Add] DNS visibility, malware C&C, exfiltration, … Brian Dickson
- Re: [Add] DNS visibility, malware C&C, exfiltrati… Tom Ritter
- Re: [Add] [EXTERNAL] Re: DNS visibility, malware … Winfield, Alister