8 votes

Malware in the wild using DNS-over-HTTPS (DoH) to pull payload

6 comments

  1. [3]
    heavyset_go
    Link
    I'm of the opinion that doing DNS resolving at the application level is a bad idea, mostly because it's used to get around my content blockers. DoH should be implemented at the system or network...

    I'm of the opinion that doing DNS resolving at the application level is a bad idea, mostly because it's used to get around my content blockers.

    DoH should be implemented at the system or network level, and applications shouldn't circumvent it.

    6 votes
    1. RNG
      Link Parent
      I agree with this. I use PiHole and can't imagine using the web any other way. It seems that the device should fundamentally be what determines DNS resolution for all software on it. I think the...

      I'm of the opinion that doing DNS resolving at the application level is a bad idea

      I agree with this. I use PiHole and can't imagine using the web any other way. It seems that the device should fundamentally be what determines DNS resolution for all software on it. I think the most important take away is going to be for the security professional who isn't aware of the declining efficacy of DNS filtering/monitoring.

      It does feel like the efficacy of DNS filtering to block ads is doomed. Whether it be DoH, WebBundles [1], or something else, when there is this much money sitting on the table, it seems almost certain that a work around will be found.

      [1] Hacker News: WebBundles harmful to content blocking, security tools, and the open web

      4 votes
    2. vord
      Link Parent
      Definitely, but especially network. I don't want random devices able to circumvent my local DNS on my home network. It's the double-edged sword of encryption. You can use it to protect yourself...

      DoH should be implemented at the system or network level

      Definitely, but especially network. I don't want random devices able to circumvent my local DNS on my home network.

      It's the double-edged sword of encryption. You can use it to protect yourself and break censorship, but is also a way for manufacturers to take ownership from you.

      3 votes
  2. [2]
    RNG
    (edited )
    Link
    There seemed to be other discussions around the web about the perceived benefits and dangers of browsers implementing DoH by default across the web a few months back [1] [2]. It is often discussed...

    There seemed to be other discussions around the web about the perceived benefits and dangers of browsers implementing DoH by default across the web a few months back [1] [2].

    It is often discussed either in the context of protecting your privacy from ISPs, concerns about centralizing DNS resolution in the hands of Cloudflare and Google, concerns about DNS filtering (something that's largely mitigated), or in the context of making DNS-based threat hunting more difficult (presumably key DoH resolving IPs would be blocked, though the idea of basing any significant portion of one's security posture on DNS filtering / monitoring is rather dubious.)

    On the latter point, it seems that we are certainly in a post-DoH world, and malware is actively obfuscating its DNS requests. I doubt many organizations are blocking requests to google.com, which is what served this request (the placement of Base64-encoded IPs in the returned record is incredibly interesting.) If you found this interesting, the discussion and linked article for the first discovered DoH malware on r/netsec is quite a treat (from about a year ago) [3]. Finally, this SANS white paper on the subject is a worthwhile read if you are a security practitioner [4].

    [1] Tildes: Firefox has started enabling DNS-over-HTTPS by default for all US-based users

    [2] Hacker News: DNS-over-HTTPS (Chrome)

    [3] r/netsec: First malware known to have used DNS over HTTPS

    [4] SANS Institute: A New Needle and Haystack:Detecting DNS over HTTPS Usage

    2 votes
    1. heavyset_go
      Link Parent
      I already do this on my network because I will get ads on my Android devices and Chromecast apps otherwise. It's simple to implement and I hope more people do this.

      I doubt many organizations are blocking requests to google.com

      I already do this on my network because I will get ads on my Android devices and Chromecast apps otherwise. It's simple to implement and I hope more people do this.

      1 vote
  3. skybrian
    Link
    Ultimately it would be better for security if all programs were sandboxed so they don’t get to make arbitrary network connections by default. I think web browsers are a reasonable exception,...

    Ultimately it would be better for security if all programs were sandboxed so they don’t get to make arbitrary network connections by default. I think web browsers are a reasonable exception, though? This is trusted software acting on the user’s behalf.

    Even with sandboxing, though, there is the question of how to manage the sandbox permissions, and most users don’t want to deal with that much.

    2 votes