Hey everyone, I have a thick firewall for my apps but as usual outgoing DNS connections are allowed (the app can make DNS queries but nothing else). Today I learned that a malicious app can exfiltrate data and receive commands just by making specialized DNS queries: https://www.youtube.com/watch?v=hpFr8aioloU
The presenter talks about a possible way to block this using dnsmasq but I couldn't understand how.
I am using OpenWRT's dnsmasq with default settings, forwarding to Adguard's public DNS Server: 94.140.14.14
Can someone shed some light on this? Or tell us how to block such specialized DNS queries.
Are you saying your network is currently infected by such malware, or are you simply trying to block the possibility of such attacks?
Yes, in theory this is kind of attack is possible, and simply changing your DNS server wouldn't necessarily stop it.
DNS leak testing sites use the same concept. They send unique data in a DNS inquiry, eventually the recursion will check the appropriate domain (and hence its authoritative DNS server) and pass this data to the server. The server likewise repiles with a response to the query (as expected). While the purpose in leak testing is to identify the SRC IP of the querying server, it can also be a 2-way communications channel.
I am simply trying to block the possibility of such attacks (an app exfiltrating data and receiving commands by making specialized DNS queries).
My suggestion would be to:
- Run AdBlock on your router and enable malware list
and/or
- Configure your WAN DNSs for a malware blocking DNS service (e.g. CloudFlare's 1.1.1.2)