<![CDATA[SNORT - Reverse , dnstunnel block help]]>Hi all .
Any one here got way to block reverse tunnell through http using pfsense ? and block dnstunnel using google as a relay . any one ?

thanks .

]]>https://forum.netgate.com/topic/70083/snort-reverse-dnstunnel-block-helpRSS for NodeMon, 08 Jun 2026 11:56:06 GMTMon, 09 Jun 2014 07:32:08 GMT60<![CDATA[Reply to SNORT - Reverse , dnstunnel block help on Tue, 10 Jun 2014 23:55:32 GMT]]>@BBcan177:

I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

This is a very effective way to handle the potential issue.  Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders.

There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts.

Bill

]]>https://forum.netgate.com/post/466755https://forum.netgate.com/post/466755Tue, 10 Jun 2014 23:55:32 GMT<![CDATA[Reply to SNORT - Reverse , dnstunnel block help on Tue, 10 Jun 2014 07:41:42 GMT]]>thanks ya  ;) ;)

]]>https://forum.netgate.com/post/466617https://forum.netgate.com/post/466617Tue, 10 Jun 2014 07:41:42 GMT<![CDATA[Reply to SNORT - Reverse , dnstunnel block help on Tue, 10 Jun 2014 02:56:59 GMT]]>I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

I think that Emerging Threats has a few rules for this, but I haven't looked into detail. I think they are looking for really long strings in the DNS traffic.

Some links:

http://security.stackexchange.com/questions/3206/do-you-detect-react-to-dns-tunnelling

http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

]]>https://forum.netgate.com/post/466606https://forum.netgate.com/post/466606Tue, 10 Jun 2014 02:56:59 GMT