Results 1 to 10 of 10
  1. #1
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default Malware using SSL protected DNS in the wild

    https://www.zdnet.com/article/first-...ttps-protocol/

    DOH runs over TCP 443 just like the rest of HTTPs.
    DOT runs over TCP 853.

    Which means the bad guys can bypass DNS reputation checks on current security systems by simply using either of these protocols.

    The ability to do a reputation based firewall rule off the new web filter engine cannot come fast enough.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,797
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untanglit
    Join Date
    Dec 2017
    Posts
    25

    Default

    DOT should be simple to block. Just disable outbound port 853.

    DOH, on the other hand, is another stupid protocol that is gonna be a disaster from a security perspective.

  4. #4
    Newbie
    Join Date
    Jun 2019
    Posts
    5

    Default

    Did anyone figured out how to block DNS-over-HTTPS using the SSL Inspector? There are some known DoH resolver lists available, but if an attacker runs his own DoH Resolver than the blacklist is useless. And to make it more annoying, some devices that can't have custom certificates installed, that need to be bypassed, will just end up blocked/disconnected.

    I would love any input on this if possible. Thanks!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    Untangle's Web Filter doesn't rely on a DNS session to be filtered. And you don't have to break into the SSL stream to filter either. There are three options at the top of Web Filter's advanced tab at play here. And while the solution isn't perfect, it does actually work.

    So bypassing Untangle's DNS structure isn't going to get you around the filters.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Jun 2019
    Posts
    5

    Default

    Thanks for the reply!

    When you say the advanced tab, the only options available are these:
    2019-07-22 14_15_21-Window.png

    The problem is that this is not enough to block DNS-over-HTTPS, AFAIK the Web Filter would need a rule to look at the "HTTP Hostname" part of the URLs, for example:
    2019-07-22 14_17_59-Window.png

    This rule catches DNS-over-HTTPS requests for "dns.google" for example, but what I really don't think we can mitigate is when the URL for the requests is inside the URL, for example: google.com/dns. In this case, if an attacker or some service doesn't clearly use *dns* at the domain we wouldn't be able to see the request.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    I never said it would block DNS over HTTPs, nor would I even recommend you attempt to do so. I said that the Web Filter works even if the DNS is being resolved elsewhere. It doesn't care about DNS, it uses DNS, but it cares about TCP 80 and TCP 443 sessions. And if it can't get into the SSL via SSL inspector, it behaves based on those top three boxes. Which means traffic is still categorized, and managed.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Newbie
    Join Date
    Jun 2019
    Posts
    5

    Default

    Thanks for the input, I understand that Web Filter only cares about TCP 80,443 and without the SSL Inspector, it can only verify the domain. I guess that for what I'm trying to do, having control over DNS-over-HTTPS, I'll end up having to MITM devices unfortunately.

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,195

    Default

    Domain information is only available if SNI is given by the application (most modern browsers) but it is not mandatory. There are several applications which intentionally do not give SNI info. You are more likely to be successful in blocking this by using the Application Control rule "Block all TCP port 443 traffic that not HTTPS.". Beware this is not without some pain.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,797

    Default

    Quote Originally Posted by jcoffin View Post
    some pain
    And with that, we have my nomination for understatement of the year.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2