DNS discovery

Sadly even in this day and age of data portability many DNS providers don’t like to let you export your own DNS data. Having finally received one too many PDF exports of a zone file I thought there must be an easier way to make my life simpler. Whilst I’m aware of some DNS providers that will make a stab at pre-populating your domain for you when you transfer domains, there doesn’t seem to be a general tool for achieving this task. The closest thing I could find was DNSdumpster which misses some of the obvious things and isn’t in the friendliest of formats. At this point there was only one thing to do. Write a quick and dirty tool for finding the well known RR’s for any given domain and present them in a BIND friendly format. From far too many years of transferring domains from a variety of… Continue reading

Mitigating against and observing DoH – a real world deployment

DoH data flow

Whilst there has been a lot of discussion about the impact and usage of DNS-over-HTTPs there is so far very little data on how widely its usage has been adopted let alone what the traffic looks like. By adopting a layered approach using response policy zones and an internal DNS-over-HTTPS infrastructure it’s possible to start to get a clearer picture of DoH usage. Within a typical Enterprise environment, you would expect the use of external DNS servers to already be prohibited. The use of DNS-over-HTTPS is thus no different from any other tunnelling software that is used to circumvent such security controls. The simple approach to resolving this issue would be to just block DoH providers at the firewall as they were identified. However, maintaining such a list, as with any black list, will present some challenges and would be better managed by commercial providers. A more layered approach provides… Continue reading

DNS in applications a rebuttal

There’s an awful lot going on in the world of DoH at the moment – so rather than writing one huge rambling post I’m going to try and cover everything in several shorter rambling posts. I’m going to start with taking a look at a presentation that Mozilla did regarding “DNS in applications”, which I have many issues with and I think highlights the fundamental disconnect between the Mozilla developers and people that actually have to deal with network and user security. A lot of this has been discussed extensively on the IETF “Applications doing DNS” discussion list. If you’re on that list I’m not going to be saying anything much new, but with that said let’s start looking at the presentation. Continue reading

Defence against the DoH! Arts

I’m afraid it’s another post about DNS-over-HTTPS, but there’s a lot going on. Whilst the current crop of DoH servers don’t suffer from the same problems as normal open DNS resolvers, they do have issues of their own. Whilst fans of DoH are right when they that nothing stopped applications from doing their own DNS before and that the bad guys have always tunnelled data over other protocols. It is also true that DoH has massively lowered the bar for them both in terms of readily available libraries and in the provision of vast, highly resilient, free, tunnelling infrastructure provisioned by reputable companies. However I don’t want to get back into that again, instead lets review the latest happenings in the world of Doh. In the last month we’ve had : a DoH controlled spam campaign, the first malware to leverage DoH and Mozilla nominated for Internet villain of the… Continue reading