Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Prevent DNS-Tunneling
« previous
next »
Print
Pages: [
1
]
Author
Topic: Prevent DNS-Tunneling (Read 1429 times)
schnipp
Sr. Member
Posts: 371
Karma: 19
Prevent DNS-Tunneling
«
on:
January 30, 2023, 09:42:50 pm »
To prevent data exfiltration from the server network in case of possible compromise I'd like to prevent DNS tunneling for this network. Actually, I use "unbound DNS" as a local resolver. Compared to the local networks the server network only needs a handful of hostnames to resolve.
As far as I know Unbound does not support black/whitelisting on an interface basis. So, I plan to use "Bind" as a filtering DNS forwarder in front of Unbound to filter DNS requests of the server network. Perhaps, Bind can completely replace unbound in the future. But at first, I don't want to replace Unbound.
Before starting, I like to get your ideas for preventing DNS tunneling. Thanks.
Logged
OPNsense 24.7.1-amd64
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Prevent DNS-Tunneling
«
Reply #1 on:
February 02, 2023, 09:39:33 pm »
Does nobody has an idea or dealt with DNS tunneling?
Logged
OPNsense 24.7.1-amd64
Patrick M. Hausen
Hero Member
Posts: 6747
Karma: 568
Re: Prevent DNS-Tunneling
«
Reply #2 on:
February 02, 2023, 09:45:56 pm »
You can configure BIND with local master zones. You can configure BIND with different ACLs for non-recursive and recursive queries.
Looks to me like that would do the job. But then I never worried about DNS tunneling. If I have an RCE on one my servers there are more important things to take care of.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Prevent DNS-Tunneling
«
Reply #3 on:
February 03, 2023, 05:41:31 pm »
Thanks, I'll try that.
Of course one should be concerned if the server experiences an RCE. It's a second line of defense and should prevent exfiltration of data to a malicious remote endpoint in the internet. Maybe IDS/IPS is the better solution. In fact, I haven't checked out Suricata and its properties as a possible solution yet.
Logged
OPNsense 24.7.1-amd64
Patrick M. Hausen
Hero Member
Posts: 6747
Karma: 568
Re: Prevent DNS-Tunneling
«
Reply #4 on:
February 03, 2023, 07:02:31 pm »
I meant when and how would a server try to perform DNS tunneling if there isn't an RCE first? There are no interactive user accounts on servers with Internet facing applications here - apart from admins. And I trust them.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
schnipp
Sr. Member
Posts: 371
Karma: 19
Re: Prevent DNS-Tunneling
«
Reply #5 on:
February 05, 2023, 07:32:26 pm »
The scenario I have outlined is a compromise of the server, either through an RCE or another possibility with the introduction of malware (e.g. compromised update server for distributing software updates).
The first steps look promising, even if the recursion regarding DNS queries is not yet running smoothly.
However, I found some bugs in the plugin.
Disabled or removed master zones leave orphaned zone files in the file system
Disabling entries (records) in master zones is without function
«
Last Edit: February 05, 2023, 07:34:53 pm by schnipp
»
Logged
OPNsense 24.7.1-amd64
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Prevent DNS-Tunneling
