Appearance
DNS Validation (NET-DNS)
Validate that DNS resolution is controlled, inspection cannot be evaded, and exfiltration channels are blocked.
Objectives
- Prevent resolution of restricted domains.
- Block DoH/DoT evasion attempts.
- Detect and deny DNS-based exfiltration.
Controls Under Test
- DNS filtering and allowlisting.
- Proxy enforcement (preventing direct DNS queries).
- Protocol restrictions (blocking DoH/DoT via HTTPS inspection).
Test Scenarios
| ID | Threat / Scenario | Universal Procedure | Expected Outcome & Audit |
|---|---|---|---|
| NET-DNS-01 | DNS Resolution Control | Adversary attempts to resolve restricted domains. Perform a DNS lookup for a restricted domain using a specific server. | Pass: Command fails or returns timeout; no A/AAAA records. Audit: action: deny |
| NET-DNS-02 | DNS Evasion (DoH/DoT) | Adversary attempts to bypass inspection via DoH/DoT. Attempt DNS resolution via HTTPS/TLS to public resolvers. | Pass: Denied; traffic must traverse enforced proxy. Audit: reason: dohBlocked or certificate failure. |
| NET-DNS-03 | DNS Exfiltration | High throughput data exfiltration via DNS. Use DNS tools to send encoded data (base64) to a controlled nameserver. | Pass: Denied. Audit: reason: dnsBlocked or queryLengthExceeded. |
| NET-DNS-04 | Hosts File Bypass | Adversary attempts to bypass DNS by modifying local hosts file. Add an entry for a restricted domain to /etc/hosts and attempt connection. | Pass: Connection failed; hosts file ignored or access denied. Audit: action: deny |
| NET-DNS-05 | Direct TCP DNS | Adversary attempts DNS resolution over TCP to bypass UDP filters. Use dig +tcp @8.8.8.8 to force TCP resolution. | Pass: Connection failed/timeout. Audit: action: deny, protocol: tcp |
| NET-DNS-06 | Timing Side-Channels | Network mapping via timing analysis. Measure resolution times for blocked vs. non-existent domains. | Pass: Negligible timing delta (< 5ms). |
Evidence Requirements
- Audit category:
network - Required fields:
action,outcome,reason
