DNS Tunneling
- Ashish Khabde
Analytics
DNS tunneling attacks involve tunneling another protocol through DNS port 53 for the purpose of data exfiltration. Outbound and inbound data being communicated is encoded into small chunks and fitted into DNS queries and DNS responses.
DNS tunneling detection rules can protect your network from DNS data exfiltration. Some of these rules detect signature-based payload encoding techniques, such as Base32, Base64 and suspicious label lengths, commonly used by tunneling products such as OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. Note that not all tools or all versions of tools can be detected through these signature-based rules.
When possible DNS tunneling traffic hits any of these rules, the appliance drops only the DNS tunneling traffic based on the configured parameters. All other traffic is processed through subsequent threat protection rules.
The following table lists the system rules used to mitigate DNS tunneling on your advanced appliance. For information about applicable parameters, see Overview of Packet Flow.
| Rule ID | Rule Type | Rule Name | Description | Enable/Disable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 130000500 | System | RATELIMIT UDP high rate inbound large DNS queries (anti tunneling) | This rule warns If any source IP sends large UDP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds this value, the appliance blocks only DNS tunneling traffic from this source IP for the time specified in Drop interval. All other traffic is processed through subsequent rules. This rule is triggered when the DNS Packet size exceeds the configured value. | Disabled by default | Packets per second (default = 100) Drop interval (default = 5 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) Packet size (default = 200) | Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators |
| 130000600 | System | RATELIMIT TCP high rate inbound large DNS queries (anti-tunneling) | This rule warns if any source IP sends large TCP DNS queries (which could be DNS tunneling attacks) at a rate equals the Packets per second value. If the rate exceeds the value, the appliance blocks only DNS tunneling traffic from this source IP for the time specified in Drop interval. All other traffic is processed through subsequent rules. This rule is triggered when the DNS Packet size exceeds the configured value. | Disabled by default | Packets per second (default = 100) Drop interval (default = 5 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) Packet size (default = 200) | Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators. |
| 200000004 | System | DNS tunneling rate limiting rule | This rule warns If any source IP sends inbound UDP DNS queries that trigger large TXT responses at a rate equals the Packets per second value. If the rate exceeds this value, the appliance blocks only DNS tunneling traffic from this source IP for the time specified in Drop interval. All other traffic is processed through subsequent rules. This rule is triggered when the size of the TXT records in the DNS responses exceeds the configured DNS Packet size. | Disabled by default | Packets per second (default = 100) Drop interval (default = 5 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) Packet size (default = 200) | Consider tuning Packets per second to a higher value for NATd environments, static forwarders, and VPN concentrators. |
| 130011100 | System | OzymanDNS / SplitBrain Base32 SSH-2.0 payload over UDP (anti tunneling) | This rule drops Base32-encoded SSH 2.0 payload over UDP traffic, which could be OzymanDNS or SplitBrain DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130011150 | System | OzymanDNS/ SplitBrain Base32 SSH-2.0 payload over TCP (anti tunneling) | This rule drops Base32-encoded SSH 2.0 payload over TCP traffic, which could be OzymanDNS or SplitBrain DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130011200 | System | DNS2TCP Base64 SSH-2.0 payload over UDP (anti tunneling) | This rule drops Base64-encoded SSH 2.0 payload over UDP traffic, which could be DNS2TCP DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130011250 | System | DNS2TCP Base64 SSH-2.0 payload over TCP (anti tunneling) | This rule drops Base64-encoded SSH 2.0 payload over TCP traffic, which could be DNS2TCP DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130011300 | System | TCP-over-DNS Base32 SSH-2.0 payload over UDP (anti tunneling) | This rule drops Base32-encoded SSH 2.0 payload over UDP traffic, which could be TCP-over-DNS, DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130011350 | System | TCP-over-DNS Base32 SSH-2.0 payload over TCP (anti tunneling) | This rule drops Base32-encoded SSH 2.0 payload over TCP traffic, which could be TCP-over-DNS, DNS tunneling traffic. Subcategory: Known Tunneling Encoding | Disabled by default | N/A | |
| 130012100 | System | Multiple 30-byte labels within a domain over UDP (anti tunneling) | This rule drops multiple 30-byte labels within a domain over UDP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012150 | System | Multiple 30-byte labels within a domain over TCP (anti tunneling) | This rule drops multiple 30-byte labels within a domain over TCP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012200 | System | Multiple 60-byte labels within a domain over UDP (anti tunneling) | This rule drops multiple 60-byte labels within a domain over UDP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012250 | System | Multiple 60-byte labels within a domain over TCP (anti tunneling) | This rule drops multiple 60-byte labels within a domain over TCP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012300 | System | Multiple 63-byte labels within a domain over UDP (anti tunneling) | This rule drops multiple 63-byte labels within a domain over UDP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012350 | System | Multiple 63-byte labels within a domain over TCP (anti tunneling) | This rule drops multiple 63-byte labels within a domain over TCP traffic, which could be DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012400 | System | Two-byte label, followed by multiple 63-byte labels within a domain over UDP (Your Freedom) (anti tunneling) | This rule drops multiple 63-byte labels following a 2-byte label within a domain over UDP traffic, which could be 'Your Freedom' DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130012450 | System | Two-byte label, followed by multiple 63-byte labels within a domain over TCP (Your Freedom) anti tunneling) | This rule drops multiple 63-byte labels following a 2-byte label within a domain over TCP traffic, which could be 'Your Freedom' DNS tunneling traffic. Subcategory: Suspicious Label Length | Disabled by default | N/A | |
| 130013100 | System | OzymanDNS/ SplitBrain down label over UDP (anti tunneling) | This rule drops OzymanDNS or SplitBrain 'down' request over UDP traffic, which could be DNS tunneling traffic. Subcategory: OzymanDNS/SplitBrain | Disabled by default | N/A | |
| 130013150 | System | OzymanDNS/SplitBra in down label over TCP (anti tunneling) | This rule drops OzymanDNS or SplitBrain 'down' request over TCP traffic, which could be DNS tunneling traffic. Subcategory: OzymanDNS/SplitBrain | Disabled by default | N/A | |
| 130013200 | System | OzymanDNS/SplitBra in up label over UDP (anti tunneling) | This rule drops OzymanDNS or SplitBrain 'up' request over UDP traffic, which could be DNS tunneling traffic. Subcategory: OzymanDNS/SplitBrain | Disabled by default | N/A | |
| 130013250 | System | OzymanDNS/SplitBra in up label over TCP (anti tunneling) | This rule drops OzymanDNS or SplitBrain 'up' request over TCP traffic, which could be DNS tunneling traffic. Subcategory: Iodine | Disabled by default | N/A | |
| 130013300 | System | Iodine Case Check payload over UDP (anti tunneling) | This rule drops Iodine 'Case Check' request over UDP traffic, which could be DNS tunneling traffic. Subcategory: Iodine | Disabled by default | N/A | |
| 130013350 | System | Iodine Case Check payload over TCP (anti tunneling) | This rule drops Iodine 'Case Check' request over TCP traffic, which could be DNS tunneling traffic. Subcategory: Iodine | Disabled by default | N/A | |
| 130013500 | System | DNS2TCP Authorization over UDP (anti tunneling) | This rule drops DNS2TCP authorization request over UDP traffic, which could be DNS tunneling traffic. Subcategory: DNS2TCP | Disabled by default | N/A | |
| 130013550 | System | DNS2TCP Authorization over TCP (anti tunneling) | This rule drops DNS2TCP authorization request over TCP traffic, which could be DNS tunneling traffic. Subcategory: DNS2TCP | Disabled by default | N/A | |
| 130013600 | System | DNS2TCP Connection over UDP (anti tunneling) | This rule drops DNS2TCP connection request over UDP traffic, which could be DNS tunneling traffic. Subcategory: DNS2TCP | Disabled by default | N/A | |
| 130013650 | System | DNS2TCP Connection over TCP (anti tunneling) | This rule drops DNS2TCP connection request over TCP traffic, which could be DNS tunneling traffic. Subcategory: DNS2TCP | Disabled by default | N/A | |
| 130012500 | System | ETPRO DNS UDP SkullSecurity Encrypted Shell Possible Tunnel 2 | ETPRO DNS UDP SkullSecurity Encrypted Shell Possible Tunnel 2 | Disabled by default | Events per second (default = 1) | |
| 130012550 | System | ETPRO DNS TCP SkullSecurity Encrypted Shell Possible Tunnel 2 | ETPRO DNS TCP SkullSecurity Encrypted Shell Possible Tunnel 2 | Disabled by default | Events per second (default = 1) |