topic Re: DNS tunneling seems it's not recognized as "tcp-over-dns" in General Topics

DNS tunneling seems it's not recognized as "tcp-over-dns"

TheRealDiz — Tue, 23 Aug 2016 07:46:55 GMT

Since some weeks, we are suspecting DNS Tunneling usage.
We saw a specific "application" being present on applipedia for this kind of action: tcp-over-dns

Applipedia description states:
"DNS Tunneling is a technique to encapsulate any binary data within DNS queries and replies and tunnel it to any remote system and the Internet. There are several tools currently available on the Internet that perform DNS tunneling. This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

But on our firewall with PAN-os version 6.0.9 we did not find that application "recognized":

a) from suspected networks we do not find any "tcp-over-dns" reference inside logs (only plain "dns")

b) explicitly testing from a PC behind our firewall with both "dns2tcp" and "Iodine" tools no "tcp-over-dns" reference is recognized

c) in both previous cases we found instead presences about strangely big DNS sessions

Any kind of suggestions related to the functionality from Applipedia "tcp-over-dns" application?

Thanks in advance

Luca

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

bmorris1 — Tue, 23 Aug 2016 11:57:08 GMT

Hi Luca,

Have you tried updating your apps & threats to make sure it is running on the latest version?

Also as you are seeing only DNS application traffic then it is possible that the firewall is detecting the tunnelled application of DNS after protocol decoding and putting this into the session end app, you could try setting your security rule to log at session start as well and see if there is an initially discovered application of tcp-over-dns. Though watch out on turning this on as it will increasing your logging a fair bit.

If you still have trouble with the firewall not recognising the app then it would be worth opening a support case for further investigation.

hope this helps,

Ben

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

TheRealDiz — Tue, 23 Aug 2016 14:12:21 GMT

Hi @bmorris1,

We have collected a pcap and we found that there a lot of TYPE NULL queries.

In your opinion is it possible to block this type of query creating a custom-app?

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

bmorris1 — Tue, 23 Aug 2016 14:37:44 GMT

Hi @TheRealDiz,

Yes I reckon if you create two conditions matching on the contexts of 'dns-req-section' & 'dns-rsp-queries-section' and the pattern of the string 'TYPE: NULL RR' (not 100% sure on the pattern, would need to test) then you could block/identify this traffic.

Check out this doc for more context defintions if you want to increase the conditions in the signature:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569?attachment-id=1097

hope this helps,

Ben

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

TheRealDiz — Fri, 26 Aug 2016 07:53:50 GMT

Hi @bmorris1,

Thanks a lot for you response, I have tested better with another panOS and now it's recognized.

Probably this issue is due to panOS version (I have tested with 7.1.4-h2).

Luca