Closed TonyWildish-BH closed 2 weeks ago
From Marcus, on the MS ticket above:
Ok, have a configuration that works.
This way can have a centrally managed list, suggest deploy as part of the firewall shared service as can be updated in a similar way with FQDNs required by services.
Describe the bug Data can be exfiltrated by DNS tunneling.
There's a full discussion on the MS repo, issue 4036. The resolution is to attach a private DNS resolver to the firewall, and have all spokes route their DNS through that (they probably already do?). The firewall DNS resolver then white/black-lists hosts that are allowed.
Note that the firewall is still necessary to prevent traffic flow, this only addresses name lookup and exfiltration via the DNS protocol.
Steps to reproduce Attacker-side:
On the Workspace VM (only tested Linux at the moment)