DNS Tunnel Mitigation v2
Published Jun 19, 2019
Version 1.0Was this article helpful?
And now in 2023 using ChatGPT as an iRules assistant:
when RULE_INIT {
# Max DNS queries during detection period per source IP / destination domain
set maxq 180
# Detection & Blocking Period
set btime 60
}
when DNS_REQUEST {
set srcip [IP::remote_addr]
set qtype [DNS::question type]
set domain [domain [DNS::question name] 4]
set key "$srcip:$domain"
if {[DNS::len] > 512 && [class match $qtype equals TunnelType]} {
switch $domain {
"ends_with Dominios_Lista_Blanca" {
return
}
"ends_with Dominios_Lista_Negra" {
DNS::drop
return
}
default {
if {[table lookup $key] ne ""} {
set count [table incr $key]
if {$count > $maxq} {
DNS::drop
return
}
} else {
table add $key 1 indef $btime
}
}
}
}
}
Some of the changes include:
The use of switch for a more concise and readable evaluation of the $domain variable.
Replace static with local variables to improve clarity and reduce redundancy.
Rename the sourceDom variable to domain for better readability.
Cheers!