This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Seeing DNS Tunnel traffic to/from our Public Ranges?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Seeing DNS Tunnel traffic to/from our Public Ranges?

JoshVogel0
L1 Bithead

‎04-04-2025 08:18 AM - edited ‎04-07-2025 09:38 AM

Hello,

This past week I've started seeing traffic that's classified as Tunneling:isavscan.[tld] (threat type: dns-c2, ThreatID: 109001001) hitting our Outside intrazone rule where the source and destination are our public ARIN IPs (the rule is currently set to allow while I make sure I have all the traffic we need like BGP and IPSec allowed in other rules). Even more strange, the traffic always seems to be going to the next adjacent IP (so from 1.1.1.1 -> 1.1.1.2, or 1.1.1.200 -> 1.1.1.199), and it's even involving IPs that we don't currently have NATed to anything.

 

My only guess is some kind of reflection attack, but it's been really low volume, 84 sessions since 3/31. Has anyone seen something like this before? Any thoughts on what attack strategy could be at play, or if there's anything I should do? 

 

Here's a sample of the threat logs:

public to public DNS tunnel.PNG

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎04-08-2025 12:24 PM

Hello,

If you are not hosing any services that need an inbound NAT, I would recommend you block/drop all external traffic. I always have a DENY ALL policy as my last policy that blocks any any any traffic. This would also block the traffic you are seeing. 

 

Hope that makes sense.

 

Regards,

0 Likes Likes

JoshVogel0
L1 Bithead
In response to OtakarKlier

‎04-08-2025 12:33 PM

Thanks, but we do host many externally available services. I am working on blocking all unspecified Outside-Untrust to Outside-Untrust traffic which, as you say, will block this traffic too, but am making sure I do so without affecting BGP/IPSec/VPN in the process. I was more curious what this strange traffic could indicate. C2 would imply we have compromised hosts, but if that was the case the source IP would be one of our internal IPs, not external. It also doesn't account for why some of our unused external IPs were also taking part.

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎04-08-2025 12:39 PM

Hello,

First put into place policies that allow the traffic you want to see, BGP/IPSec/VPN (source and destination). Then once you see those policies start to be hit for the traffic you want, then put in the blocking policy.

 

If the traffic was sourced from external and is destination is external, then I doubt its an internal C2 since the traffic would then be sourced from inside. Looks like a scan from the threat info.

 

Regards,

0 Likes Likes
  • 3697 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks