How to detect DNS TXT messages

Reply
Highlighted
L1 Bithead

How to detect DNS TXT messages

is it possible to detect and furthermore block DNS TXT messages via a Threat Signature?

The goal is to disable DNS Queries regarding TXT resource records.

Not sure if the context dns-req-section does the job...

Did anyone ever try this?

Thanks!

Stefan

L4 Transporter

Re: How to detect DNS TXT messages

Hi Stefan,

You should be able to block it.

I was able to search in this vulnerability signature in the threat DB.   Threat Id:- 31941  CVE:-2008-2469

https://threatvault.paloaltonetworks.com/

dns-txt.PNG

Let me know if that helps.

Regards

Parth

L1 Bithead

Re: How to detect DNS TXT messages

Thanks for the quick reply! Unfortunately, this signature is not a generic TXT signature but rather addresses a specific threat which works by means of TXT records. Or at least thats my experience, otherwise I would have seen it in the threat logs.

Nevertheless, while this signature does not match, chances are that there is the possibility to write a generic signature.

BR

Stefan

L6 Presenter

Re: How to detect DNS TXT messages

I think Parth meant since there is a signature regarding DNS TXT you should be able to create a custom one aswell.

L4 Transporter

Re: How to detect DNS TXT messages

Correct. A custom threat signatures can be created.

Or if you think the firewall did not capture a valid threat, you can submit a pcap from the client PC and the related traffic logs by opening a support ticket and we can hand it over to threat team for validation.

Regards

Parth

L1 Bithead

Re: How to detect DNS TXT messages

I see, makes sense... I prefer a generic solution which effectively matches all DNS TXT messages, no specific threat as such. If it helps, I can still submit a capture though.

In order to create a custom signature, do you have a working signature already or shall I submit a new case via support?

thanks,

S

L4 Transporter

Re: How to detect DNS TXT messages

Stefan,

Support would not be able to assist you with the creation of custom signatures.

In order to build a signature, I would highly recommend you put your requests/inputs to dev-center of Palo Alto Networks.

https://live.paloaltonetworks.com/community/devcenter

When you think the traffic passing through the firewall is a threat and the threat signatures are not triggered that is when you want to contact support with the pcaps and other relevant data.

Regards

L6 Presenter

Re: How to detect DNS TXT messages

However you should be able to contact local support (the company you bought the PA stuff from) or your sales engineer at PA to get assisted.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!