Comment by itake
1 day ago
I've definitely heard of cnc using a plural of domains for this reason. the bots have a list of domains they reach out to, searching for one that is valid.
I believe one issue with this strategy is many corporate VPNs block fresh domains. I guess if the software was pinned to use encrypted DNS instead of whatever the OS recommends, then the DNS blocking could be avoided...
How would a corporate DNS block new domains, exactly?
My employer uses Zscaler. I don't know exactly how they implement this, but my educated guess is the corporate DNS server doesn't resolve domains that were created recently.
In technical terms, the device asks the private corporate DNS server for the IP address of the hostname. The private DNS server checks the requested domain against a threat intelligence feed that tracks domain registration dates (and security risks). If the domain is deemed a threat, either return an IP address which points at a server that shows a warning message (if http traffic) or return an invalid IP (0.0.0.0).
A firewall. For example, Palo Alto firewalls can easily be configured to block domains newer than ~30 days old.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?...
Have a cache of domains you know about with registration date.
When getting a query for a domain you have not heard about, query whois for it. Store it's registration date in the cache.