Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SNORT - Reverse , dnstunnel block help

    pfSense Packages
    3
    4
    1091
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eznode last edited by

      Hi all .
      Any one here got way to block reverse tunnell through http using pfsense ? and block dnstunnel using google as a relay . any one ?

      thanks .

      1 Reply Last reply Reply Quote 0
      • BBcan177
        BBcan177 Moderator last edited by

        I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

        I think that Emerging Threats has a few rules for this, but I haven't looked into detail. I think they are looking for really long strings in the DNS traffic.

        Some links:

        http://security.stackexchange.com/questions/3206/do-you-detect-react-to-dns-tunnelling

        http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

        1 Reply Last reply Reply Quote 0
        • E
          eznode last edited by

          thanks ya  ;) ;)

          1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks last edited by

            @BBcan177:

            I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

            This is a very effective way to handle the potential issue.  Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders.

            There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy