Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT - Reverse , dnstunnel block help

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eznode
      last edited by

      Hi all .
      Any one here got way to block reverse tunnell through http using pfsense ? and block dnstunnel using google as a relay . any one ?

      thanks .

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

        I think that Emerging Threats has a few rules for this, but I haven't looked into detail. I think they are looking for really long strings in the DNS traffic.

        Some links:

        http://security.stackexchange.com/questions/3206/do-you-detect-react-to-dns-tunnelling

        http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • E
          eznode
          last edited by

          thanks ya  ;) ;)

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @BBcan177:

            I would suggest that you block all outgoing LAN DNS requests unless they are originating from your DNS Server(s) or pfSense DNS apps.

            This is a very effective way to handle the potential issue.  Restrict all LAN DNS traffic to just your internal DNS server (or servers), then further restrict outbound DNS (on WAN) to designated forwarders.

            There are some DNS policy rules in the Emerging Threats family that can help as well, but in my view the easiest method is restricting outbound DNS to only authorized hosts.

            Bill

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.