ISC StormCast for Monday, January 18th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 18 January 2021
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, January 18th, 2021 edition of the Sandcentred Storm Center's Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida. |
| 0:13.2 | This weekend, Guy wrote a diary about some scans that he saw in his honeypots looking for DNS over HTTP endpoints. |
| 0:23.8 | So what these scans are looking for are systems that are configured to accept recursive requests |
| 0:31.2 | via DNS over HTTP. DNS over HTTP, of course, has sort of caused a big stir these last couple years as browsers, |
| 0:40.9 | sort of more and more embraced it as a more privacy-preserving protocol. |
| 0:46.3 | The countermeasure often deployed by enterprises is to block access to certain DNS over |
| 0:53.9 | HTTP services, like the well-knowns, like, for example, Cloudflare, Google, and the like. |
| 1:00.1 | So if an company does block these well-known DNS over HGPS services, an attacker may choose to use, well, a private service that someone put up and they're not really all that |
| 1:13.1 | difficult to set up. For traditional DNS servers, we often have attackers scan for resolvers |
| 1:20.8 | in order to use them in denial of service attacks. Now, this is not really an issue when it comes |
| 1:26.6 | to DNS over HTTP due to the use of |
| 1:30.3 | TCP and then of course also TLS. There is little to no chance that they are used for these |
| 1:37.8 | amplified reflective attacks that we have seen with traditional DNS recursive servers. |
| 1:45.0 | But instead, well, they may use them to evade corporate filtering policies, |
| 1:51.0 | and of course could also be used then for attacks or just to anonymize queries. |
| 1:57.0 | So how do you block DNS over HTTP if a non-published endpoint is used? Well, in my opinion, |
| 2:05.1 | it's actually a much easier question, really. It really comes down to do you intercept a TLS? |
| 2:12.0 | If you do intercept TLS, it's pretty straightforward based on the content type to figure out that a certain |
| 2:19.7 | HTTP request is a DNS over HTTP request. |
| 2:23.5 | And then you can log them, you can block them, or whatever. |
| 2:27.6 | If you do not intercept TLS to decrypted, then you pretty much have already lost the battle. |
| 2:37.8 | Really, DNS over HTTP is not going to make a big difference. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.