SNORT - Reverse , dnstunnel block help
-
Hi all .
Any one here got way to block reverse tunnell through http using pfsense ? and block dnstunnel using google as a relay . any one ?thanks .
-
I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.
I think that Emerging Threats has a few rules for this, but I haven't looked into detail. I think they are looking for really long strings in the DNS traffic.
Some links:
http://security.stackexchange.com/questions/3206/do-you-detect-react-to-dns-tunnelling
http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
-
thanks ya ;) ;)
-
I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.
This is a very effective way to handle the potential issue. Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders.
There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts.
Bill
