@k3ym0 "good luck if you're not doing deep DNS inspection"

iodine, dnscat, and literally every other DNS tunneling technique that has existed in the past 20-ish years: lol. lmao, even.

Still, quite impressive, but saying this shit is a hard to detect covert channel is unmitigated bullshit.

@da_667 iodine and dnscat also have 20 years of signatures, known patterns, and detection logic baked into tooling. This doesn't.

But honestly that's beside the point. "Detectable" and "detected" are two very different sentences. iodine has been detectable for 20 years and I've watched it walk right out of enterprise networks that had no idea. Known technique != mature detection coverage in the median org.

SMB's are running Server 2008r2 with a Watchguard FW and a prayer. Mid-market is logging DNS at the firewall level and calling it done.

"Detectable in theory by a mature SOC" and "hard to detect in most real environments" are not mutually exclusive statements.

@k3ym0
@da_667

* Cries in DoH-allowed-networks *