DNS TXT records, use and implications of blocking?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS TXT records, use and implications of blocking?

L4 Transporter

In the recent past my organization was hit with a relatively new DNS Amplification attack which uses a botnet hosting DNS services with a specifically crafted DNS TXT record.  The spoofed requests specifically requested this record hosted on the botnet.  After investigating I found articles online of the attack being used but with different TXT records.

My question is this, are DNS TXT records used legitimately in practice over the internet and what could be the implications of blocking requests/replys for TXT records all-together?

Thanks for any insight you can provide.

2 REPLIES 2

L7 Applicator

Yes, there are valid DNS txt records.  the most common would be the SPF records for SMTP services.  These are used to help prevent some types of spam bots by identifying the valid SMTP outbound servers in a domain.

Your better approach may be to see which DNS Amplification signatures the attacks are hitting and change the threat id responses from default alert to a block action.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L2 Linker

Since amplification attacks are typically fragmented UDP packets one option would be to enable zone protection on your Internet facing interface(s). Selecting 'Fragmented Traffic" and/or configuring UDP flood parameters in a zone protection profile and applying it to these interfaces will drop UDP DNS fragments commonly used in amp attacks. I don't recommend using this profile internally unless you've determined if your own DNS implementations are configured correctly.

This avoids having to block a specific record type altogether while still dropping the attack traffic. It will also drop UDP responses from resolvers that are not configured to truncate responses 512+ bytes and resume over TCP.

  • 2681 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!