Dns tunnel detection/prevention
Fred Morris
m3047 at m3047.net
Sat May 24 01:53:57 UTC 2025
On Fri, 23 May 2025, Grant Taylor via bind-users wrote:
>
> On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
>> Does ISC Bind software by native has any dns tunneling prevention embedded
>> ?
>
> I don't think there is anything that I would describe that way. But there
> may be some rate limiting option(s) that you could use to at least cripple
> using DNS queries & replies as a tunnel mechanism.
Yes, exactly. Generally speaking and it comes with its own constellation
of adversary responses but failing softly, or failing to brokenness: I
think this is preferable to failing outright.
If you fail in an outright, reproducible, measurable fashion you give your
opponent predictability and confidence. As a defender you want to
undermine that and look like an under-resourced, poorly administered
network that somehow, we don't know exactly how but somehow: it's just
bad luck. There's a crappy network and every time your adversary messes
with it they just have inexplicable bad luck.
The footnotes would be longer than what I've written. File it generally
under "chaos engineering".
Dnstap offers application-level logging (DNS is an application protocol
along with a wire protocol) and you can combine that with e.g. fail2ban
and/or RPZ, or other things if it keeps you up at night and you like
picking the legs off of web spiders.
--
Fred Morris, internet plumber
More information about the bind-users
mailing list