In case you missed the article from Citizen Lab and the patch update from Apple: You need to update your systems to macOS Big Sur 11.6, iOS 14.8, and watchOS 7.6.2. This is obviously critical for corporate offices (DNSFilter exclusively uses Macs, so we get it), but you also need to update your personal devices.
The NSO group is behind this zero-click Apple messenger vulnerability. If you’re a Darknet Diaries fan (like we are), you’re already well aware of NSO. Back in July, we actually started adding known NSO spyware domains to our “Trackers” category.
So if you’re looking for an additional layer of protection, adding this “Trackers” category to your block list can do just that. Learn more about our "Trackers" category here.
With that out of the way...
C2 servers are an important part of malware attacks. We’ll touch on them in our webinar later today, but here we want to go into detail. Also known as CNC, these abbreviations stem from the full name: Command and Control. Taking its name from the military term, NATO defined Command and Control as “the exercise of authority and direction by a properly designated individual over assigned resources in the accomplishment of a common goal.”
In this case, the authorities are threat actors and the common goal is a malicious one.
What are C2 servers? They are the servers contacted by a compromised host (a device with malware on it) and the attack servers. The attack server and compromised device communicate over a C2 channel, and the communication is mostly done over trusted traffic such as DNS. The infected host receives commands from the C2 server. The command might be to deploy the attack, begin data exfiltration, or to sit and wait.
Keep reading about C2 attacks.
Our Knowledge Base has plenty of helpful articles to help you with the more technical aspects of a deployment.
You might be familiar with our Network or Roaming Client deployment. But there is a third way to deploy DNSFilter that gives you blanket protection possible at the network-level but with the granularity of end device protection: the DNSFilter Relay.
Relying on the Relay also means you can enforce individual device policies via static IPs without installing individual Roaming Clients.
In this deployment, DNS requests are performed by way of the Relay (essentially a proxy) where policy enforcement and reporting is logged. The Relay is available as a virtual machine (this is our recommended option), Docker container, or binary.
Full implementation instructions can be found here.
Are you concerned with finding out what’s the latest with DNSFilter? Check out our Changelog.