0 Replies Latest reply on Jul 16, 2017 6:42 AM by ahmed.sabanaa

    Large apnormal DNS packet Blocking to prevent DNS Tunneling .

    ahmed.sabanaa

      Hi ,

      I need to prevent DNS tunneling to be performed through my Network ,  so I am Trying to block any DNS packet Grater Than 70 Character for the query based on the below paragraph from an old  discussion :

      Length of the DNS requests

      Let’s think about a common DNS request. Typically it is not that long, like google.com, mail.google.com, company.com, blog.company.com, your company name.com, etc. In our prior example the base64 encoded string was 56 characters long. With a longer username/password the string would be even longer, like 70+ characters. This is quite untypical for a domain name. We can use this characteristic to create a rule.

       

      Detecting DNS Tunneling

       

      i have tried to create custom Sig to block any DNS request greater than 70 character in length , but the signature does not work properly , please find the below Sig parameters :

      1- need to block traffic like the attached large DNS.pcap file below (this traffic has been captured from the sensor while i am trying to simulate the large DNS packet from my PC toward 8.8.8.8 DNS server)

      2- Please Find the below Attack Image created :

      LArge DNS Attack Image  .JPG

       

      3- and find the below Large DNS Sig Image :

      large DNS Sig Image .JPG