Protect Against DNSLivery Exploit?

Environment specifics up front:

  • All endpoints use ZCC and Z-Tunnel 2.0 for forwarding
  • All networks are treated as untrusted in app and forwarding profiles
  • VPN is not in use
  • Tunnels to ZIA are not in use
  • Clouds: zscalergov.net, zpagov.net, zdxgov.net

My client had a pentest conducted recently wherein despite the heavily controlled conditions of the test (their VDI sessions where totally blocked from the Internet in ZIA and only had a short list of allowed servers on port 443 in ZPA), the red team was somehow able to infil their tools to their VDI sessions, run their tests against their target systems (and AD) in the network, elevate privileges, move laterally, and exfil artifacts despite ZIA and ZPA showing nothing untoward.

The red team lead finally showed me today how they got their tools into the network both initially and in today’s re-test, and it was through a very cool tool called DNSLivery. I figured out how to close this hole in ZIA by blocking DNS TXT requests in DNS Control. I then deployed DNSLivery on an EC2 instance I control and tested that my change in ZIA successfully closed the hole for remote (Road Warrior location) users but did not close it for on-network machines. I suspect the reason for this is that since the users are using the domain controllers as their DNS, this is never being forwarded to Zscaler. I’m sure that I could forward their DNS to ZIA somehow, but I fear this could screw up domain traffic (though I have App Segments for AD and SRV discovery).

Has anyone else run into this before and if so, how did you address the on-network devices?

1 Like

Assuming the “on-network machines” are not running ZCC you could tunnel from the network they reside on to the Zscaler cloud (including DNS) and use the DNS protection you used with the ZCC clients. That said, two things seem evident to me: 1.) You’ve done a great job of completely utilizing all the applicable functions of ZIA and ZCC to control and secure access from the network, and 2.) you may be ready for some Deception technology now! :wink:

Hey Mark,
Thanks for the compliment, I appreciate it. :blush:

In my environment, everyone uses ZCC, so everything goes to Zscaler for enforcement.

The only thing I can think of is that 10.0.0.0/8 is excluded from Z-Tunnel, the domain controllers are recursive and authoritative DNS, hence it’s not getting caught from on-network devices. Devices at home have their router on an RFC 1918 network that is excluded from the tunnel, but their Netgear or whatever is not recursive or authoritative and sends it upstream, so ZIA can DNAT it and enforce it.