DNS tunneling seems it's not recognized as "tcp-over-dns"

Reply
Highlighted
L4 Transporter

DNS tunneling seems it's not recognized as "tcp-over-dns"


Since some weeks, we are suspecting DNS Tunneling usage.
We saw a specific "application" being present on applipedia for this kind of action: tcp-over-dns

Applipedia description states:
"DNS Tunneling is a technique to encapsulate any binary data within DNS queries and replies and tunnel it to any remote system and the Internet. There are several tools currently available on the Internet that perform DNS tunneling. This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

But on our firewall with PAN-os version 6.0.9 we did not find that application "recognized":


a) from suspected networks we do not find any "tcp-over-dns" reference inside logs (only plain "dns")


b) explicitly testing from a PC behind our firewall with both "dns2tcp" and "Iodine" tools no "tcp-over-dns" reference is recognized 


c) in both previous cases we found instead presences about strangely big DNS sessions 

Any kind of suggestions related to the functionality from Applipedia "tcp-over-dns" application?

 

Thanks in advance

Luca

L4 Transporter

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

Hi Luca,

 

Have you tried updating your apps & threats to make sure it is running on the latest version?

 

Also as you are seeing only DNS application traffic then it is possible that the firewall is detecting the tunnelled application of DNS after protocol decoding and putting this into the session end app, you could try setting your security rule to log at session start as well and see if there is an initially discovered application of tcp-over-dns. Though watch out on turning this on as it will increasing your logging a fair bit.

 

If you still have trouble with the firewall not recognising the app then it would be worth opening a support case for further investigation.

 

hope this helps,

Ben

L4 Transporter

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

Hi @bmorris1,

 

We have collected a pcap and we found that there a lot of TYPE NULL queries.

In your opinion is it possible to block this type of query creating a custom-app?

 

Query_Type_NULL.JPG

L4 Transporter

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

Hi @TheRealDiz,

 

Yes I reckon if you create two conditions matching on the contexts of 'dns-req-section' & 'dns-rsp-queries-section' and the pattern of the string 'TYPE: NULL RR' (not 100% sure on the pattern, would need to test) then you could block/identify this traffic.

 

Check out this doc for more context defintions if you want to increase the conditions in the signature:

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...

 

hope this helps,

Ben

L4 Transporter

Re: DNS tunneling seems it's not recognized as "tcp-over-dns"

Hi @bmorris1,

 

Thanks a lot for you response, I have tested better with another panOS and now it's recognized.

Probably this issue is due to panOS version (I have tested with 7.1.4-h2).

 

BR

Luca

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!