Hacker News new | past | comments | ask | show | jobs | submit login

unless i am reading this wrong, they are not saying don't send your requests to Cloudfare, Apple, etc. i am not entirely privy to all this, but aren't they entreprise grade DNS resolvers?



They are high quality services, not controlled by the company.

It’s pretty obvious that allowing unloggable DNS traffic in an enterprise is a bad idea. It makes ex filtration trivial.


Exfiltration already is trivial DNS or not. Just admit that you want to be able to eavesdrop on all activity whatsoever.

What, you think that anyone looking to get something out undetected isn't using raw IP's?


On my network? Absolutely, ability to inspect packets is absolutely essential. On a public network? Different story.

I’ve personally been engaged in incident response and in many scenarios DNS is a control mechanism for malware, or uses it for various purposes. It’s often a key piece of evidence for reconstruction of an incident.

Raw IPs can be used as well, but that doesn’t negate my point.


>Raw IPs can be used as well, but that doesn’t negate my point.

And in fact if you have enterprise-wide visibility on DNS requests, you have the opportunity to detect the use of an IP that was not returned in a request. Making it immediately suspect.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: