Skip to content

DNS Validation (NET-DNS)

Validate that DNS resolution is controlled, inspection cannot be evaded, and exfiltration channels are blocked.

Objectives

  • Prevent resolution of restricted domains.
  • Block DoH/DoT evasion attempts.
  • Detect and deny DNS-based exfiltration.

Controls Under Test

  • DNS filtering and allowlisting.
  • Proxy enforcement (preventing direct DNS queries).
  • Protocol restrictions (blocking DoH/DoT via HTTPS inspection).

Test Scenarios

IDThreat / ScenarioUniversal ProcedureExpected Outcome & Audit
NET-DNS-01DNS Resolution ControlAdversary attempts to resolve restricted domains.
Perform a DNS lookup for a restricted domain using a specific server.
Pass: Command fails or returns timeout; no A/AAAA records.
Audit: action: deny
NET-DNS-02DNS Evasion (DoH/DoT)Adversary attempts to bypass inspection via DoH/DoT.
Attempt DNS resolution via HTTPS/TLS to public resolvers.
Pass: Denied; traffic must traverse enforced proxy.
Audit: reason: dohBlocked or certificate failure.
NET-DNS-03DNS ExfiltrationHigh throughput data exfiltration via DNS.
Use DNS tools to send encoded data (base64) to a controlled nameserver.
Pass: Denied.
Audit: reason: dnsBlocked or queryLengthExceeded.
NET-DNS-04Hosts File BypassAdversary attempts to bypass DNS by modifying local hosts file.
Add an entry for a restricted domain to /etc/hosts and attempt connection.
Pass: Connection failed; hosts file ignored or access denied.
Audit: action: deny
NET-DNS-05Direct TCP DNSAdversary attempts DNS resolution over TCP to bypass UDP filters.
Use dig +tcp @8.8.8.8 to force TCP resolution.
Pass: Connection failed/timeout.
Audit: action: deny, protocol: tcp
NET-DNS-06Timing Side-ChannelsNetwork mapping via timing analysis.
Measure resolution times for blocked vs. non-existent domains.
Pass: Negligible timing delta (< 5ms).

Evidence Requirements

  • Audit category: network
  • Required fields: action, outcome, reason