Exactly. A coworker and I used to challenge each other to a game of red-team/blue-team with DNS exfil. I ran the DNS servers. He would exfil data or download malicious payloads. I had to detect and ideally block his shenanigans. Rate limiting per IP and per domain slowed him down, but didn't stop him. Tools like snort and bro or enterprise firewalls will see this too, but there are plenty of ways to evade corporate firewalls.
DoH makes this harder. You have to either block all the public DoH servers (never ending arms race) or intercept all outbound connections, which very few companies are willing to do either for privacy or cert management reasons. There are other rabbit holes here as well that would take all day to explain.
DoH makes this harder. You have to either block all the public DoH servers (never ending arms race) or intercept all outbound connections, which very few companies are willing to do either for privacy or cert management reasons. There are other rabbit holes here as well that would take all day to explain.