First DNS over HTTPS Malware Exploit Described

On the same week that we published our post about Google announcing general availability for its public DNS over HTTPS (DoH) implementation, Netlab published its first description of malware using DoH as a mechanism to hide its DNS traffic. The malware, named Godlua, is a Lua-based backdoor currently affecting some Linux servers running certain older version of Confluence (CVE-2019-3396). Netlab reports that it can be used to run dynamic Lua scripts and has already identified examples of Godlua being used to initiate HTTP DDoS attacks in the wild. Of interest for this particular discussion is the fact that Godlua makes use of DoH to encrypt its communication with Command and Control (C2). 

What you don’t see can hurt you

As we discussed in our last post, the main challenge associated with DoH is the encapsulation in encrypted HTTPS packets and the subsequent incorporation of these packets to the larger stream of existing HTTPS traffic. This makes it considerably more difficult and resource intensive for security experts to work with the DNS traffic.

With DoH, the DNS packets need to be found and inspected to identify any security concerns. Doing this requires active measures such as deep packet inspection and therefore circumvents all of the passive DNS traffic monitoring mechanisms currently in place. This has profound implications for existing security infrastructures.  

What does this mean for me?

In the end, counter to what we said about having some time to figure out your strategy around encrypted DNS, exploits that leverage DoH are already appearing. The challenge associated with DoH is indeed another data point to consider in the decision about which DNS encryption mechanism, if any, to use in your enterprise environment.

In the last post we pointed out that neither of the mainstream operating systems, Windows and MacOS, currently support DoH. Moving up to the application stack, however, both Firefox and Chrome browsers already have support for DoH. So even outside the malware domain, there is already an ability for regular end users to interact directly with public DoH servers through an HTTPS stream that, as we mentioned, is difficult to control.

The end result is that you may need to look for help from people that specialize in the area. Addressing the DoH challenges in a constructive manner requires specialized knowledge and experience. As we mentioned in the last post, many of the challenges associated with DNS can be addressed through proper architectural decisions. We encourage you to reach out to specialist DNS providers such as Infoblox and their trusted partners for direction and assistance in addressing your DNS related challenges including, of course, DoH considerations.