I’m not aware of any products which yet support DNS over TLS monitoring, so I doubt it’s done at scale (there’s Palo Alto, but that’s just blocking at this stage). It will emerge tho.
-
-
This Tweet is unavailable.
-
Replying to @JaxxAI @no_scooters and
Aye that provides blocking, not monitoring and logging tho. Malware is only a small part of the security landscape, you see phishing etc using DNS. It’s not a big deal tho as security solutions will adapt, it’s similar with the mass move to SSL years back.
3 replies 0 retweets 9 likes -
Replying to @GossiTheDog @no_scooters and
Would you agree that the strong push for SSL, while inconvenient for network monitoring, was a good thing? I get the pushback because it will require changes, but it is very clearly the right direction
3 replies 0 retweets 18 likes -
Replying to @taviso @no_scooters and
It’s a good thing for consumers. For enterprises it raised the bar of security technical requirements, kinda feeds into security poverty for orgs that can’t invest in tooling.
2 replies 0 retweets 7 likes -
Replying to @GossiTheDog @no_scooters and
I don't follow, it absolutely must be possible for Administrators to disable DoH via group policy, I don't think anybody claims otherwise? If you're Administrator, it's your endpoint and you can disable all privacy controls if you wish.
7 replies 1 retweet 6 likes -
Replying to @taviso @GossiTheDog and
Wait, you can stop legitimate apps from using DoH from the registry, you cannot stop illegitimate ones from doing so. That's the problem here. Capturing all outbound udp53 traffic and scanning it is trivial. Not so for tcp443, even if the tooling was there.
1 reply 0 retweets 0 likes -
Replying to @blaktron @GossiTheDog and
Correct, if you allow outbound https then malicious endpoints can tunnel DNS queries over it. The existence of DoH doesn't change that, and they can do it today with or without browser support.
2 replies 0 retweets 2 likes -
We simply can't stop improving privacy because "malware might use it to exfiltrate", that's true for basically everything. If you vow to never enable anything on your network that malware can abuse, what will be left? Also, deploy whitelisting
3 replies 0 retweets 4 likes -
Replying to @taviso @GossiTheDog and
How about browsers just respect the OS layer DNS settings by default? By making the choice for users they improve privacy for some at the expense of security for others.
1 reply 0 retweets 0 likes
Simple, because for a large number of users (including me) that is a bad default. Many users want to use free hotel wifi, visit coffee shops, use have limited ISP choice, etc. If you always trust your network, just change the default, no problem?
-
-
Replying to @taviso @GossiTheDog and
Yeah I know, that's a good point. And likely even in some of the scenarios I'm worried about overall mobile users are better off. Forced change is bad for businesses though to a degree, even when the outcome is good. Why dont we just blame MS for not building native support in?
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.