Hacker News new | ask | show | jobs
by jlgaddis 2182 days ago
In a corporate network, it's pretty common to block all outgoing DNS traffic (53/TCP and 53/UDP), except from the company's DNS servers.

In that case, DoH does let malware do something new -- block the company's existing DNS policies, quert logging, and security monitoring!
2 comments
jefftk 2182 days ago
DoH is a protocol for using HTTPS to learn what IPs to talk to.

Malware does not need DoH to do this. They can simply run an ordinary HTTPS server with a self-signed cert on an arbitrary IP, with a simple JSON-based or whatever protocol, and have support for that in their client.

link
jlgaddis 2182 days ago
> Malware does not need DoH to do this.

Yes, you're right, of course.

There are any number of things that malware can do. Most of it doesn't, however, and can either be stopped completely or, at the least, detected quite easily using some basic techniques.

link
topranks 2182 days ago
Not really.

Malware could always use some proprietary wrapping in TLS to hide name resolution.

Domain fronting through Azure is still a thing for instance.

link