Hello all
Is it possible to filter outbound requests to DNS TXT records?
Thanks for any hint.
Regards, Oliver
Yes but be carefull this is used for SPF lookups.
You will need to do something similar in this blog but the service would be DNS udp/53 and possible tcp/53
http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html
PCNSE
NSE
StrongSwan
Thanks, thats interesting.
As we do not have a sending SMTP server inhouse (we use Office 365), our machines do not have to do SPF queries ... so we can block all DNS TXT requests.
Oliver
Hello Oliver,
You can add the following custom Application Control signature to filter DNS TXT records requests:
F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )
HoMing
FWIW
Alternatively
You could keep DNS inside and control DNS-TXT queries from the name-server
PCNSE
NSE
StrongSwan
Your ActiveDirectory needs external DNS access as it acts as DNS for the domain computers. In this function the DC proxies DNS requests from the clients. As long as you don't have an internal SMTP server, I cannot find any reason for DNS TXT requests.
So I decided to filter these requests because they could be used to harm clients with TXT requests wich contains Powershell commands.
Oliver
I've tested this on a FGT-90 with 5.4.4 and it doesent work for me. I created the custom signature and built a custom IPS profile in wich I only look for this signature. The sig. is set to block. A nslookup request for TXT entries of a domain still gives answers:
Standardserver: google-public-dns-a.google.com Address: 8.8.8.8
> dogipot.com Server: google-public-dns-a.google.com Address: 8.8.8.8
Nicht autorisierende Antwort: Name: dogipot.com Address: 40.71.251.231
> set q=txt > > dogipot.com Server: google-public-dns-a.google.com Address: 8.8.8.8
DNS request timed out. timeout was 2 seconds. Nicht autorisierende Antwort: dogipot.com text =
"v=spf1 a:outbounds5.obsmtp.com ~all" >
Custom signatures should work while the IPS subscription isn't active? (it's a test firewall without subscriptions)
Oliver
Ive tested the custom signature that HoMing provided on 5.4.3 (FG-60D) and 5.6.0 beta3 (FWF-30D) as both an IPS signature and an application control signature and I can't seem to get it block via either. Both devices have active UTM subscriptions.
@ottime I'm guessing its this DNS TXT malware mechanism you are tying to block: http://blog.talosintellig...7/03/dnsmessenger.html
Hello Oliver,
Yes, custom signatures will work without an active IPS subscription. The syntax I provided to you earlier was for App Control, not IPS.
App Control:
F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )
IPS:
F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --service DNS; --flow from_client; --dns.query_type=16; )
The differences between the 2 signatures are the --app_cat and --weight syntax. Can you add it into App Control and set the signature to Block and let me know again?
This is my test:
$ dig -t txt google.com ATTENTION: default value of option force_s3tc_enable overridden by environment.
; <<>> DiG 9.8.1-P1 <<>> -t txt google.com ;; global options: +cmd ;; connection timed out; no servers could be reached
Hi RobertReynolds,
Did you explicitly set the signature to Block on the IPS/App Control sensor? If you did, can you send me a pcap of the DNS TXT query? I will run it through my scanner to see if the signature triggers. Thanks!
HoMing
Hello
it seems to work ... partly. If I activate the IPS profile with the custom filter, direct TXT queries made with 'nslookup' on a Windows 10 PC with the q option set to TXT will be blocked. If the q option is set to all, the TXT records wil be shown:
> set q=txt > aussie.ch Server: UnKnown Address: 8.8.8.8
DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Zeitüberschreitung bei Anforderung an UnKnown.
> set q=all > aussie.ch Server: UnKnown Address: 8.8.8.8
Nicht autorisierende Antwort: aussie.ch text =
"v=spf1 include:spf.protection.outlook.com -all" aussie.ch text =
"MS=ms52923579" aussie.ch primary name server = ns1.weboffice.ch responsible mail addr = admin.novatrend.ch serial = 2016020900 refresh = 86400 (1 day) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 86400 (1 day) aussie.ch nameserver = ns2.weboffice.ch aussie.ch nameserver = ns1.weboffice.ch aussie.ch internet address = 46.232.178.40 aussie.ch MX preference = 0, mail exchanger = aussie-ch.mail.protection.outlook.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1064 | |
889 | |
527 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.