An estimated 18,000 companies were affected by the SolarWinds incident. Many of those companies had excellent inventory, logging and configuration control. You simply cannot detect DNS over HTTPS in the network without performing MITM.
Really, you can’t detect that if you’re on the machine?... and if you’re not on the machine or its acting differently to what the logs show. Isolate it until you can investigate.
Actually, no you could not detect that even from the machine performing the DoH. You could probably detect it if you attached a debugger and set a breakpoint on the resolve functions being used. May I ask what you do for a living?
Why even comment on things that you don't fully understand?
I'm a security engineer. It's pretty much my thing. I'm taking about logging it on the machine, that's not owned...and yes you too can do it... I'm doing right now. Even on my raspberry pi.
The detection part I think you're misunderstanding is that you need to compare what the machine is logging and what it's actually doing, by looking network traffic, etc. Looking for parallax, differences between the two.
I am not misunderstanding anything. Let's terminate this conversation, I can see that it will not get anywhere.
It's amusing that you actually believe that you can 'check the logs' to detect all DoH being performed on the machine. Would you be willing to disclose your employer? "I can check the logs" sounds like something a naive systems administrator would say.
I'm glad that 'security' is your thing. The best thing about the internet is that you never know who you are talking to... Even when you meet people that wrote the parts of the operating system you're currently using.
I never said you could log all DoH. You’re not following what I’ve said. If you’re relying on DNS for your security posture in anyway right now you’re in a really bad place. Having those non malicious dns requests in the clear are a safety blanket at best. Check the default DoH resolver and the systems DoH logs. Then look at network traffic and then for gaps. Programs that use their own resolver and just mix it with there own TLS traffic can be observed, even without knowing the DNS record, the ip is enough.
Also feel free to Google me, creepy as it is, I’ve no idea why my specific employer would help this discussion in anyway.
PS the victims of solarwinds had dns and it didn’t help them. Expecting the attacker to use a known IOC or contact an obvious C&C domain is where the industry is at. My opinion is DoH will actually force blue teams to build systems that are effective. My chosen model is parallax. Known behavior, known states that can be checked.
