DNS tunneling seems it's not recognized as "tcp-over-dns"

cancel
Showing results for 
Search instead for 
Did you mean: 

DNS tunneling seems it's not recognized as "tcp-over-dns"

L4 Transporter


Since some weeks, we are suspecting DNS Tunneling usage.
We saw a specific "application" being present on applipedia for this kind of action: tcp-over-dns

Applipedia description states:
"DNS Tunneling is a technique to encapsulate any binary data within DNS queries and replies and tunnel it to any remote system and the Internet. There are several tools currently available on the Internet that perform DNS tunneling. This application identifies traffic from the following tools, tcp-over-dns, dns2tcp, Iodine, Heyoka, OzymanDNS, and NSTX."

But on our firewall with PAN-os version 6.0.9 we did not find that application "recognized":


a) from suspected networks we do not find any "tcp-over-dns" reference inside logs (only plain "dns")


b) explicitly testing from a PC behind our firewall with both "dns2tcp" and "Iodine" tools no "tcp-over-dns" reference is recognized 


c) in both previous cases we found instead presences about strangely big DNS sessions 

Any kind of suggestions related to the functionality from Applipedia "tcp-over-dns" application?

 

Thanks in advance

Luca

4 REPLIES 4

L4 Transporter

Hi Luca,

 

Have you tried updating your apps & threats to make sure it is running on the latest version?

 

Also as you are seeing only DNS application traffic then it is possible that the firewall is detecting the tunnelled application of DNS after protocol decoding and putting this into the session end app, you could try setting your security rule to log at session start as well and see if there is an initially discovered application of tcp-over-dns. Though watch out on turning this on as it will increasing your logging a fair bit.

 

If you still have trouble with the firewall not recognising the app then it would be worth opening a support case for further investigation.

 

hope this helps,

Ben

Hi @bmorris1,

 

We have collected a pcap and we found that there a lot of TYPE NULL queries.

In your opinion is it possible to block this type of query creating a custom-app?

 

Query_Type_NULL.JPG

Hi @TheRealDiz,

 

Yes I reckon if you create two conditions matching on the contexts of 'dns-req-section' & 'dns-rsp-queries-section' and the pattern of the string 'TYPE: NULL RR' (not 100% sure on the pattern, would need to test) then you could block/identify this traffic.

 

Check out this doc for more context defintions if you want to increase the conditions in the signature:

 

https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...

 

hope this helps,

Ben

Hi @bmorris1,

 

Thanks a lot for you response, I have tested better with another panOS and now it's recognized.

Probably this issue is due to panOS version (I have tested with 7.1.4-h2).

 

BR

Luca

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!