DNS exfiltration is not blocked

[TonyWildish-BH]

Describe the bug Data can be exfiltrated by DNS tunneling.

There's a full discussion on the MS repo, issue 4036. The resolution is to attach a private DNS resolver to the firewall, and have all spokes route their DNS through that (they probably already do?). The firewall DNS resolver then white/black-lists hosts that are allowed.

Note that the firewall is still necessary to prevent traffic flow, this only addresses name lookup and exfiltration via the DNS protocol.

Steps to reproduce Attacker-side:

1. Register a domain and create a VM on the Internet
2. Setup an NS DNS record to point towards the VM
3. Deploy Iodine server (10.0.0.1)

On the Workspace VM (only tested Linux at the moment)

1. Download iodine client via apt on Ubuntu
2. Establish a DNS tunnel using Iodine to the server
3. An SFTP session was then able to exfiltrate 100 MB in about 2 and a half hours.

[TonyWildish-BH]

From Marcus, on the MS ticket above:

Ok, have a configuration that works.

• Firewall deployed with standard sku
• Enable DNs proxy on the firewall
• Deploy DNS resolver with outbound endpoint in the core VNet (created a new subnet)
• Create new ruleset with allowed DNS suffix going to firewall IP and a all for . going to 0.0.0.0 (bit of a bodge, but works)
• Link rule to workspace VNet

This way can have a centrally managed list, suggest deploy as part of the firewall shared service as can be updated in a similar way with FQDNs required by services.