Forum Discussion
Vsevolod_Petrov
Cirrostratus
Cirrostratushow can I block dns tunnels with big-ip?
Hi!
GTM datasheet for service providers states that there's support for block dns tunnels.
But I didn't find any solution how to secure dns from such attacks with GTM neither in documentati...
Hi zup,
interesting question. :)
From my perspective LTM with DNS Services module combined with an iRule can help to throttle DNS tunneling attempts.
As far as I can say there are multiple ways to encode traffic into valid DNS requests / responses.
But in the bottom-line one has to use specific record types (allowing large resource records), will send a significant number of requests over short time frame and the requests will typically target the same domain or smaller number of domains.
If you build an iRule to track these measures you can make DNS tunneling unattractive in your network.
But I think there is no way to fully prevent it and the iRule will be very resource consuming.
I´m not aware of published iRules. Very likely F5 Professional Services would be able to support you in writing an iRule covering the subject.
Thanks, Stephan