Custom threat signature to detect/block DNS TXT requests.

Reply
Highlighted
L1 Bithead

Custom threat signature to detect/block DNS TXT requests.

I'd like some help creating a custom threat signature that would would detect/block DNS TXT requests similar to threat signature ID:34842 which detects DNS ANY Request.

The goal is to disable DNS Queries regarding TXT resource records from our LAN to the untrust network.  We had an internal security audit done where they were able to tunnel out through DNS TXT records using a custom malware agent. This agent encoded all of it's TCP using base64 in proper DNS TXT records. I'd like to be able to block such attacks by being able to detect DNS TXT Request and block them, permitting only our SMTP servers to do such lookups.


Can anyone help me with building the Custom threat signature?

Thanks,

Fred

L4 Transporter

Re: Custom threat signature to detect/block DNS TXT requests.

Hi Fred,

Do you have a packet capture of the DNS TXT request?  That's going to be the first place to start when writing a custom signature.

Thanks,

Jeff

L1 Bithead

Re: Custom threat signature to detect/block DNS TXT requests.

Hi Jeff,

I do have packet captures but they would only be helpful if I was trying to write a rule matching specific traffic patterns of the payload within the DNS TXT request which I'm not. Since so many tunneling tools exploit DNS TXT records using different encoding techniques, each would have different patterns so I'm just looking to create a signature that I can use  detect and block all DNS TXT requests. The signature I'd like to create would be similar to threat signature ID:34842 which detects DNS ANY Request regardless if the payload of the ANY request.

Fred

L4 Transporter

Re: Custom threat signature to detect/block DNS TXT requests.

Hi Fred,

Have you tried to block the tcp-over-dns application id?  The AppID description says that "This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

Jeff

L1 Bithead

Re: Custom threat signature to detect/block DNS TXT requests.

Hi Jeff,

We block that by default but the technique I described wont get caught by them as the traffic isn't consistent with what it's looking for to identify those applications.

Fred

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!