Oilrig (APT34) have become the first publicly known group to use DNS-over-HTTPS (DoH) protocol as a Command and Control (C2) channel for its malware. According to Vincente Diaz of Kaspersky, the Iranian group was first observed implementing the protocol in May of 2020. The threat group modified the open-source project DNSExfiltrator, which works as a funnel for transferring data through protocols such as DNS that are not normally used to transmit information. Not only is DNSExfiltrator being used to move data, it’s also helping it stay unnoticed while they’re being carried out. It is believed that Oilrig used this method back in May to relay data in COVID-19 related attacks. All in all, it comes as no surprise that the DoH protocol is becoming adopted due to the fact that not all security defenses are able to detect it and it is also encrypted by default.
While DNS-over-HTTPS may be useful for individuals, it causes more problems than it solves in enterprise environments. Network defenders and IT professionals managing corporate networks should treat DoH providers almost like C&C channels and block them at the firewall. It is also possible to disable DoH support in web browsers through Group Policy Objects (GPO), but of course, that will not have any effect against malware using DoH. A list of encrypted DNS providers can be found here: https://www.privacytools.io/providers/dns/