F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

DNS Tunnel Mitigation v2

Problem this snippet solves: (Solution from Pedro Haoa) Due to some people attempt DNS tunneling to pass data frames inside of DNS records to the Internet and the lack of information around her...

Published Jun 18, 2019

Version 1.0

Admin

Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.

View Profile

JRahm

Admin

Jul 15, 2021

I didn't write the rule, so I can only speculate. But they are using the domain command to take only the last 4 sections of a dotted FQDN to include with the src IP as a key in the table memory for counting queries. I am not sure with the len if that is being set as a control for it actually being legit tunnel traffic, but too much, or if anything less than that size would be illegitimate.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

DNS Tunnel Mitigation v2

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS