You don't though. You can just disable it at group policy level. It's not like the OS is suddenly forcing all queries over DoH, it's a browser feature. Malware has to implement it, and if they wanted to, they could implement one of the many alternatives.
Correct, a malicious endpoint can tunnel queries out of a network using any permitted protocol if it desires. The existence or non-existence of DoH doesn't change that.
-
-
The existence of DoH is a vector that allows a malicious actor to hide their traffic within that of normal web traffic. Unless an organisation has full TLS interception, which is expensive financially and technically, they won't be able to detect that traffic.
-
There are many other vectors an attacker can use, but very few of them allow an attacker to blend in to normal traffic.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
