Dear Mr. CISO,

I’m sure you have DLP (Data Loss Prevention) products. Please tell me your security team does. Maybe they have endpoint DLP, storage DLP, or cloud DLP solutions in place. I’m doing my job if they have all 3 as laid out with a comprehensive security framework.

I’m sure you have a next-generation firewall. Please tell me your firewall administrators no longer look at just ports and protocols. Maybe, in addition to application-awareness, they have threat prevention, and cloud sandboxing turned on. Maybe they even have “extension” into the switching and routing layers of the network and are able to block threats at the nearest access point. I’m doing my job if your team has all of this laid out in a comprehensive security framework.

Your guys are good. They have DLP, NGFW, and even user identification, authentication, multi-factor authentication. They’ve got it DOWN!

Congratulations, they’re not done…. Security is a journey, not a destination. Part of our industry is the striving for that unreachable day of perfect security. Even if we took the internet down, stopped having data centers, and never connected two computers together, we’d still have security threats. Our mission is never ending and always evolving.

So, you have all these solutions and place…. How are malicious entities still stealing your data? Through one of the oldest protocols out there.

DNS. Through the Domain Name System. They’re not “exploiting” vulnerabilities, they’re not finding holes in the firewall, they’re not compromising hosts**, servers, or underlying protocols. They’re using the DNS protocol in an expected fashion.

Your users are sending DNS queries with encoded data inside of them.

Well, we block DNS from our users at our firewall: Good for you, your internal DNS servers are forwarding the exfiltrated data out to the Internet.

Well, our next-gen firewall would block this: Ah, but would it really? Your next generation firewall looks for applications not behaving normally. It runs the data through malicious behavior engines and cloud sandboxing. DNS Exfiltration is using perfectly normal DNS requests and sending partial files via hex encoding. Your firewall sees this traffic as normal DNS. It sees the data as encoded files. So your file-aware firewalls can’t block Personally Identifiable Information (PII) from leaving.

So, we’re not done? Nope. How do we fix it?

Some of the ways you can protect yourself from DNS exfiltration:

  • Managed DNS
  • DNS Firewall
  • Threat Intelligence Feeds

– A Concerned Information Security Citizen

Join the NWA Information Security Meetup for networking and education on all things InfoSec!

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts


10 Ways to Misuse A Cradlepoint

Cradlepoint routers are kind of AWESOME! I have customers use them for all sorts of things. Customers use Cradlepoint routers in police cars, fire trucks, buses, billboards, remote (as in the BOONIES) office connectivity, and Read more…


Please… Stop calling it Petya….

Dear Security Vendor Marketing Teams, Please, stop calling it Petya. It’s not. It’s not even a variant in the FAMILY of Petya. It “may” have borrowed some code from Petya and have similar behavior, but Read more…


Please do anything…Do SOMETHING!

Dear Mr. CISO, For the love of all things sacred…. Patch your systems! If you don’t have one of the 49 vendors that could have stopped WannaCry/NotPetya/Eternalblahblah, GET ONE! But more importantly, have a security Read more…