DNS Tunnel Mitigation v2

Problem this snippet solves: (Solution from Pedro Haoa) Due to some people attempt DNS tunneling to pass data frames inside of DNS records to the Internet and the lack of information around her...

JRahm

Admin

Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.

View Profile

JRahm

Admin

Jul 15, 2021

I didn't write the rule, so I can only speculate. But they are using the domain command to take only the last 4 sections of a dotted FQDN to include with the src IP as a key in the table memory for counting queries. I am not sure with the len if that is being set as a control for it actually being legit tunnel traffic, but too much, or if anything less than that size would be illegitimate.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DNS Tunnel Mitigation v2

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS