On Tuesday, 12 March 2019 15:36:36 UTC Stephane Bortzmeyer wrote: > On Mon, Mar 11, 2019 at 08:55:18AM +0530, > nalini elkins <nalini.elk...@e-dco.com> wrote > > a message of 202 lines which said: > > The questions that the Fortune 50 company architect asked were something > > like this: > > > > 1. You mean that DNS could be resolved outside my enterprise? > > I suggest to explain to this person that it was possible before, as > any malware author discovered.
no, it was not possible before. or rather, it could be cheaply prevented before. > If people responsible for networks of Fortune 50 company don't know > that it is difficult to stop unwanted communication (except when you > control all the endpoints, or when you airgap your network), then it > is indeed a problem :-) in my own travels, i've met some fortune-level CISO's who had not yet been told that RDNS monitor/control bypass was now an internet standard, and that behavioural modeling based on TCP/443 endpoints was no longer practical. so, i urge greater efforts on getting the word out. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop