To prevent data exfiltration from the server network in case of possible compromise I'd like to prevent DNS tunneling for this network. Actually, I use "unbound DNS" as a local resolver. Compared to the local networks the server network only needs a handful of hostnames to resolve.
As far as I know Unbound does not support black/whitelisting on an interface basis. So, I plan to use "Bind" as a filtering DNS forwarder in front of Unbound to filter DNS requests of the server network. Perhaps, Bind can completely replace unbound in the future. But at first, I don't want to replace Unbound.
Before starting, I like to get your ideas for preventing DNS tunneling. Thanks.
Does nobody has an idea or dealt with DNS tunneling?
You can configure BIND with local master zones. You can configure BIND with different ACLs for non-recursive and recursive queries.
Looks to me like that would do the job. But then I never worried about DNS tunneling. If I have an RCE on one my servers there are more important things to take care of.
Thanks, I'll try that.
Of course one should be concerned if the server experiences an RCE. It's a second line of defense and should prevent exfiltration of data to a malicious remote endpoint in the internet. Maybe IDS/IPS is the better solution. In fact, I haven't checked out Suricata and its properties as a possible solution yet.
I meant when and how would a server try to perform DNS tunneling if there isn't an RCE first? There are no interactive user accounts on servers with Internet facing applications here - apart from admins. And I trust them.
The scenario I have outlined is a compromise of the server, either through an RCE or another possibility with the introduction of malware (e.g. compromised update server for distributing software updates).
The first steps look promising, even if the recursion regarding DNS queries is not yet running smoothly.
However, I found some bugs in the plugin.
- Disabled or removed master zones leave orphaned zone files in the file system
- Disabling entries (records) in master zones is without function