Prevent DNS-Tunneling

Started by schnipp, January 30, 2023, 09:42:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2023, 09:42:50 PM
To prevent data exfiltration from the server network in case of possible compromise I'd like to prevent DNS tunneling for this network. Actually, I use "unbound DNS" as a local resolver. Compared to the local networks the server network only needs a handful of hostnames to resolve.

As far as I know Unbound does not support black/whitelisting on an interface basis. So, I plan to use "Bind" as a filtering DNS forwarder in front of Unbound to filter DNS requests of the server network. Perhaps, Bind can completely replace unbound in the future. But at first, I don't want to replace Unbound.

Before starting, I like to get your ideas for preventing DNS tunneling. Thanks.
OPNsense 24.7.11_2-amd64
February 02, 2023, 09:39:33 PM #1
Does nobody has an idea or dealt with DNS tunneling?
OPNsense 24.7.11_2-amd64
February 02, 2023, 09:45:56 PM #2
You can configure BIND with local master zones. You can configure BIND with different ACLs for non-recursive and recursive queries.

Looks to me like that would do the job. But then I never worried about DNS tunneling. If I have an RCE on one my servers there are more important things to take care of.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 03, 2023, 05:41:31 PM #3
Thanks, I'll try that.

Of course one should be concerned if the server experiences an RCE. It's a second line of defense and should prevent exfiltration of data to a malicious remote endpoint in the internet. Maybe IDS/IPS is the better solution. In fact, I haven't checked out Suricata and its properties as a possible solution yet.
OPNsense 24.7.11_2-amd64
February 03, 2023, 07:02:31 PM #4
I meant when and how would a server try to perform DNS tunneling if there isn't an RCE first? There are no interactive user accounts on servers with Internet facing applications here - apart from admins. And I trust them.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 05, 2023, 07:32:26 PM #5 Last Edit: February 05, 2023, 07:34:53 PM by schnipp
The scenario I have outlined is a compromise of the server, either through an RCE or another possibility with the introduction of malware (e.g. compromised update server for distributing software updates).

The first steps look promising, even if the recursion regarding DNS queries is not yet running smoothly.

However, I found some bugs in the plugin.

  • Disabled or removed master zones leave orphaned zone files in the file system
  • Disabling entries (records) in master zones is without function
OPNsense 24.7.11_2-amd64
Print
Go Up Pages1
User actions