DNS Tunneling Protection

Problem this snippet solves:

This snippet helps blocking DNS tunneling that may be observed in modern enterprise networks. There is a Data Group List that allows you to specify DNS domain names that are known to be used for DNS tunneling and you do not want to receive email alerts for them.

There is one known DNS domain used for tunneling - *.mac.sophosxl.net. We saw DNS tunnels from MacBooks with Sophos Antivirus installed.

How to use this snippet:

Just add this iRule to your Virtual Server (VS) that serves as DNS for your clients. This VS must have an DNS profile attached, so you need a BIG-IP DNS license.

Do not forget to add Data Group List, like this

ltm data-group internal DGL-DNS-TUNNEL {
    records {
        mac.sophosxl.net { }
    }
    type string
}

If you need to configure email alerts add this code to /config/user_alert.conf:

alert SECPOL_DNS_TUNNEL "Detected DNS tunneling for (.*)" {
snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.302";
email toaddress="$ALERT_ADDRESS"
fromaddress="$ADC_ADDRESS"
body="Security Policy: Detected DNS tunneling"
}

Replace $ALERT_ADDRESS and $ADC_ADDRESS with appropriate email addresses that are valid in your environment

Code :

when DNS_REQUEST {
    if {[string length [DNS::question name]] > 231} {
        if {[class match [DNS::question name] ends_with DGL-DNS-TUNNEL]} {
            log local0. "Detected possible DNS tunneling for [IP::remote_addr]. Request [DNS::question name] dropped"
        } else {
            log local0. "Detected DNS tunneling for [IP::remote_addr]. Request [DNS::question name] dropped"
        }
        DNS::drop
    }
}

Tested this on version:

13.0
Updated Jun 06, 2023
Version 2.0
  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus

    In the old Devcentral there was an enhanced & more complex iRule to protect against DNS Tunneling: https://devcentral.f5.com/questions/dns-tunneling-mitigation v2 . I cannot find it anymore after the Devcxentral upgrade. Has anyone a copy of the iRule or working link?

  • mfl42's avatar
    mfl42
    Icon for Nimbostratus rankNimbostratus

    https://devcentral.f5.com/s/articles/DNS-Tunnel-Mitigation-v2 ?

     

  • This snippet was published in 2017 year. Jason's article was published in 2019 year. What is the question?