New Member

Question

Filter DNS TXT record requests

Forum|Forum|9 years ago
March 6, 2017
2 replies
29041 views

Hello all

Is it possible to filter outbound requests to DNS TXT records?

Thanks for any hint.

Regards, Oliver

emnoc

New Member

Yes but be carefull this is used for SPF lookups.

You will need to do something similar in this blog but the service would be DNS udp/53 and possible tcp/53

http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html

otimmeAuthor

New Member

Thanks, thats interesting.

As we do not have a sending SMTP server inhouse (we use Office 365), our machines do not have to do SPF queries ... so we can block all DNS TXT requests.

Oliver

hmtay_FTNT

Staff

Hello Oliver,

You can add the following custom Application Control signature to filter DNS TXT records requests:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )

HoMing

RobertReynolds

New Member

Ive tested the custom signature that HoMing provided on 5.4.3 (FG-60D) and 5.6.0 beta3 (FWF-30D) as both an IPS signature and an application control signature and I can't seem to get it block via either. Both devices have active UTM subscriptions.

@ottime I'm guessing its this DNS TXT malware mechanism you are tying to block: http://blog.talosintellig...7/03/dnsmessenger.html

hmtay_FTNT

Staff

Hello Oliver,

Yes, custom signatures will work without an active IPS subscription. The syntax I provided to you earlier was for App Control, not IPS.

App Control:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )

IPS:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --service DNS; --flow from_client; --dns.query_type=16; )

The differences between the 2 signatures are the --app_cat and --weight syntax. Can you add it into App Control and set the signature to Block and let me know again?

This is my test:

$ dig -t txt google.com ATTENTION: default value of option force_s3tc_enable overridden by environment.

; <<>> DiG 9.8.1-P1 <<>> -t txt google.com ;; global options: +cmd ;; connection timed out; no servers could be reached

Hi RobertReynolds,

Did you explicitly set the signature to Block on the IPS/App Control sensor? If you did, can you send me a pcap of the DNS TXT query? I will run it through my scanner to see if the signature triggers. Thanks!

HoMing

otimmeAuthor

New Member

Hello

it seems to work ... partly. If I activate the IPS profile with the custom filter, direct TXT queries made with 'nslookup' on a Windows 10 PC with the q option set to TXT will be blocked. If the q option is set to all, the TXT records wil be shown:

> set q=txt > aussie.ch Server: UnKnown Address: 8.8.8.8

DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Zeitüberschreitung bei Anforderung an UnKnown.

> set q=all > aussie.ch Server: UnKnown Address: 8.8.8.8

Nicht autorisierende Antwort: aussie.ch text =

"v=spf1 include:spf.protection.outlook.com -all" aussie.ch text =

"MS=ms52923579" aussie.ch primary name server = ns1.weboffice.ch responsible mail addr = admin.novatrend.ch serial = 2016020900 refresh = 86400 (1 day) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 86400 (1 day) aussie.ch nameserver = ns2.weboffice.ch aussie.ch nameserver = ns1.weboffice.ch aussie.ch internet address = 46.232.178.40 aussie.ch MX preference = 0, mail exchanger = aussie-ch.mail.protection.outlook.com

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded