Anything to learn here?

[bcookatpcsd]

https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling/amp/

Not so much this apt/threat, but just in general.. this type of c&c seems to be more active..

With edns having larger packets.. it seems like this will get easier and easier..

[kwitsch]

Just read through it and this form of malware communication seems quite sophisticated as the DNS messages are valid on its own.

In my opinion it would be quite hard to automatically block this form of communication as the described scenario is application specific and could be quite easily adjusted to look different and thus would be undetected.
It would be a cat & mouse game to always keep the threat detection detection up to date.

I agree that an auto detection would be nice but i believe it would be outside of the scope of blocky.

[ThinkChaos]

I agree, while this is interesting, I think this is more the job of a block list.

[PeterDaveHello]

That's the reason that those protective DNS SaaS services like Akamai ETP & Cisco Umbrella exist. Would be hard to implement it here.