DNS Tunnel Mitigation v2

Problem this snippet solves: (Solution from Pedro Haoa) Due to some people attempt DNS tunneling to pass data frames inside of DNS records to the Internet and the lack of information around her...
Published Jun 19, 2019
Version 1.0
AFM
BIG-IP DNS
dns tunneling
security
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jul 15, 2021

I didn't write the rule, so I can only speculate. But they are using the domain command to take only the last 4 sections of a dotted FQDN to include with the src IP as a key in the table memory for counting queries. I am not sure with the len if that is being set as a control for it actually being legit tunnel traffic, but too much, or if anything less than that size would be illegitimate.