Image for post
Image for post
Gustavo Mendes Carvalho | Aerospace, Defense and Security | everis Brazil

DNS Data Collection and Transfer

This article discusses the use of DNS service to collect data (exfiltration) to send commands in order to carry out an attack (Command & Control (C2). The following website provides further information on DNS service and what is it used for: https://www.verisign.com/en_US/website-presence/online/how-dns-works/index.xhtml When we are at home or work and want to access a website (for instance everis.com or google.com), our device sends a query to DNS servers online and retrieves the IP address required to access the website on our browser.

This means if our protection (firewall, proxy, IPS) did not allow this type of traffic to leave the source and reach the corresponding servers, no access to the Internet or email exchange would work. This is why all traffic in port UDP/53 can access any DNS server in the world without restrictions. This can be seen in the Firewall rules.

Image for post
Image for post

Recomendations

The following recommendations will help avoid this problem:

Exponential intelligence for exponential companies

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store