DNS-over-HTTPS (DoH) in malware

[dave14305]

That didn’t take long. Malware now hides its secrets in DoH.

https://www.bleepingcomputer.com/ne...evades-traffic-monitoring-via-dns-over-https/

Interesting notion of DNS blocking of DoH for Bind, surely adaptable for dnsmasq.

https://github.com/bambenek/block-doh

Thought or ideas without breaking DNS-over-TLS?

 

[Swistheater]

That didn’t take long. Malware now hides its secrets in DoH.

https://www.bleepingcomputer.com/ne...evades-traffic-monitoring-via-dns-over-https/

Interesting notion of DNS blocking of DoH for Bind, surely adaptable for dnsmasq.

https://github.com/bambenek/block-doh

Thought or ideas without breaking DNS-over-TLS?

I was reading the other day about ISP's crying over DoH, but I also remember reading something about this type of issue as well, one of the main issues of DoH is that it is also where the parasites hide as well.

Good find @dave14305

 

[dave14305]

I was reading the other day about ISP's crying over DoH, but I also remember reading something about this type of issue as well, one of the main issues of DoH is that it is also where the parasites hide as well.

Good find @dave14305

I am envisioning a dnsmasq server hosts file with the known DoH hosts sending to a blackhole IP. Stubby would continue to use the router's resolv.conf based on the current Merlin design, so the initial DoT handshake would not be affected by dnsmasq.

Maybe we'd see SkyNet incorporate iptables rules blocking port 443 traffic to the DoH IPs.

Or maybe this is too risky to implement without harming DoT functionality. I once tried to block the iOS Cloudflare app being naive enough to just try blocking 1.1.1.1 port 443, but it seems the Cloudflare app was not using the anycast IP.

I wonder how long before bad guys start building Stubby into their malware?

 

[sfx2000]

Blocking DoH is a simple firewall rule...

Use DNS over TLS.