The wild part of DNS is that port 53 is typically open on firewalls and is excellent for data exfiltration/infiltration.

▲

lormayna 3 days ago | parent | next [-]

In a corporate environment you must use only the company DNS internal resolver and they are the only one that should go outside on port 53. This is a basic security measure to detect and block every attempt of DNS tunnelling or exfiltration

▲

tuwtuwtuwtuw 3 days ago | parent [-]

Even if you use the internal resolver you could exfiltrate the data.

	▲	lormayna 3 days ago \| parent \| next [-]
		Yes, but an internal resolver has filtering and must be heavy monitored. If the DNS logs are sent to a SIEM you will be detected quickly
	▲	pixl97 3 days ago \| parent \| prev [-]
		I mean most of the time said company resolvers have a service that block either suspicious requests, or only allow whitelisted domains.

▲

Sophira 3 days ago | parent | prev | next [-]

AFWall+ on Android is an example of this - even if an app is blocked, as long as it has Internet permission it can still make DNS requests, allowing for two-way communication despite the firewall.

▲

nenenejej 3 days ago | parent | prev | next [-]

Is it? Most firewalls I see allow no inbound by default (although all outbound)

	▲	NegativeK 3 days ago \| parent [-]
		I assume they were referring to outbound. But ideally it'd be blocked and all traffic would go through an internal caching resolver, right? To reduce internal latency and load on outside servers, but also to have records if needed and to block whack requests or responses if needed.

▲

notepad0x90 3 days ago | parent | prev | next [-]

highly detectable though. modern ngfw's are all over this.

▲

deoxykev 3 days ago | parent | prev [-]

And it typically works on captive portals too before payment.