I need to prevent DNS tunneling to be performed through my Network , so I am Trying to block any DNS packet Grater Than 70 Character for the query based on the below paragraph from an old discussion :
Length of the DNS requests
Let’s think about a common DNS request. Typically it is not that long, like google.com, mail.google.com, company.com, blog.company.com, your company name.com, etc. In our prior example the base64 encoded string was 56 characters long. With a longer username/password the string would be even longer, like 70+ characters. This is quite untypical for a domain name. We can use this characteristic to create a rule.
i have tried to create custom Sig to block any DNS request greater than 70 character in length , but the signature does not work properly , please find the below Sig parameters :
1- need to block traffic like the attached large DNS.pcap file below (this traffic has been captured from the sensor while i am trying to simulate the large DNS packet from my PC toward 126.96.36.199 DNS server)
2- Please Find the below Attack Image created :
3- and find the below Large DNS Sig Image :