On Tuesday, 12 March 2019 15:36:36 UTC Stephane Bortzmeyer wrote:
> On Mon, Mar 11, 2019 at 08:55:18AM +0530,
>  nalini elkins <nalini.elk...@e-dco.com> wrote
> 
>  a message of 202 lines which said:
> > The questions that the Fortune 50 company architect asked were something
> > like this:
> > 
> > 1. You mean that DNS could be resolved outside my enterprise?
> 
> I suggest to explain to this person that it was possible before, as
> any malware author discovered.

no, it was not possible before. or rather, it could be cheaply prevented 
before.

> If people responsible for networks of Fortune 50 company don't know
> that it is difficult to stop unwanted communication (except when you
> control all the endpoints, or when you airgap your network), then it
> is indeed a problem :-)

in my own travels, i've met some fortune-level CISO's who had not yet been 
told that RDNS monitor/control bypass was now an internet standard, and that 
behavioural modeling based on TCP/443 endpoints was no longer practical. so, i 
urge greater efforts on getting the word out.

vixie


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to