Encrypted DNS traffic indicating potential infection or evasion
Description
AlphaSOC has detected encrypted Domain Name System (DNS) activity within the network. This involves the use of protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt DNS queries and responses. While these protocols enhance privacy and security, they can also be exploited by threat actors to bypass traditional security controls, exfiltrate data, or establish covert command and control (C2) channels.
Impact
Encrypted DNS can significantly impact an organization's security posture by circumventing standard network monitoring and filtering mechanisms. It can enable malware to communicate with C2 servers, facilitate data exfiltration, and allow users to bypass content filtering policies.
Severity
| Severity | Condition |
|---|---|
Informational | Encrypted DNS traffic to a common destination |
Low | Encrypted DNS traffic to an uncommon destination |
Medium | High volume encrypted DNS traffic |
High | Encrypted DNS traffic to a server supporting non-ICANN TLDs |
Investigation and Remediation
Investigate the source and destination of the encrypted DNS traffic. Determine if the activity is authorized and aligns with organizational policies. If unauthorized, identify the involved systems and users. Review logs and network traffic for any associated suspicious activities. Implement controls to manage encrypted DNS usage, such as blocking DoH and DoT servers or configuring internal encrypted DNS resolvers.
Known False Positives
- Web browsers with built-in support for DoH, activated by default
- Users using encrypted DNS to protect their privacy