- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Filter DNS TXT record requests
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter DNS TXT record requests
Hello all
Is it possible to filter outbound requests to DNS TXT records?
Thanks for any hint.
Regards, Oliver
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you did what you posted than a q-type ALL is not the same as "--dns.query_type=16"
to demostrate use the set querytype
e.g
SOCCIBERSEC1>nslookup
> set querytype=ANY > > gmail.com Server: 10.2.2.1 Address: 10.2.2.1#53 Non-authoritative answer: Name: gmail.com Address: 172.217.6.165 gmail.com nameserver = ns2.google.com. gmail.com nameserver = ns1.google.com. gmail.com nameserver = ns3.google.com. gmail.com nameserver = ns4.google.com. gmail.com origin = ns2.google.com mail addr = dns-admin.google.com serial = 150290936 refresh = 900 retry = 900 expire = 1800 minimum = 60 gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com. gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com. gmail.com text = "v=spf1 redirect=_spf.google.com" gmail.com has AAAA address 2607:f8b0:4000:804::2005 Authoritative answers can be found from: ns2.google.com internet address = 216.239.34.10 ns1.google.com internet address = 216.239.32.10 ns3.google.com internet address = 216.239.36.10 ns4.google.com internet address = 216.239.38.10 > > > set querytype=TXT > > gmail.com Server: 10.2.2.1 Address: 10.2.2.1#53 Non-authoritative answer: gmail.com text = "v=spf1 redirect=_spf.google.com" Authoritative answers can be found from: >
Your rule will work & block only the later and not former request.
;)
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Oliver,
emnoc is right, the earlier signature detects only querytype=TXT. I overlooked the scenario of getting a response for the TXT querytype via ANY. Here's the signature for it:
App Control:
F-SBID( --name "DNS.Any_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; --weight 20; )
IPS:
F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )
Sorry about that.
HoMing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello HoMing
thanks for your examples. The IPS example did not work here, I got a syntax error:
[size="3"]# set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"[/size]
command parse error before '00|; --distance 4,packet; --within Command fail. Return code -61
Regards, Oliver
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Oliver,
set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"
The signatures I provided were meant to be added on the GUI. On the CLI, you have to unescape those special characters.
set signature "F-SBID( --attack_id 2554; --name \"DNS.Any_Custom\"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !\"|00 00|\"; --distance 4,packet; --within 2,packet; --pattern \"|00 00 00 00 00 00|\"; --distance 6,packet; --within 6,packet; --pattern \"|00 00 FF|\"; --distance 12,packet; --within 260,packet; )"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
yes the escaped chars, I shoud have know ... But anyway it also doesn't work. With q=any I still get the TXT records.
Oliver
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oliver,
Can you do a packet capture with Wireshark when you send the DNS request through the command line? I would like to check the content and run it through my environment. Thanks.
HoMing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestion
That signature will not work no matter how much you tweak. The request will always pass the TXT. If you had a internal DNS server, and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
Run that request thru tshark with dns filters and you will see why it will not work.
dns.qry.type will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to control it at the outputed response if you want to mangle the DNS answer.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>>That signature will not work no matter how much you tweak.
>>Run that request thru tshark with dns filters and you will see why it will not work. >> >>dns.qry.type will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to control >>it at the outputed response if you want to mangle the DNS answer.
If the IPS/Application Control module scans the packet and the pattern-checks match the packet, the signature will block the packet. Like the previous signature which blocks dns.query_type=16, blocking dns.query_type=255 will block the "ANY" type. To allow DNS requests to go out, users would have to send packets that are not type=16 or 255. One catch is if there are other query_types that could force the DNS server to reveal TXT records, they have to be blocked too.
>>If you had a internal DNS server, and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
This, in my opinion, is the best way to handle this problem.
HoMing
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows for example has the means to control DNS qry.types based on the client. It would be more practical to set a specific dhcp scope or client range and restrict and control that scope via MSad=domains services.
Even with qry.type ANY you have to be very careful and aware on what it can break. Since a qry type of ANY is just that , the response could be little or a lot of ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate and active directory integration 291 Views
- Automatically Ban Malicious Inbound IPs using... 873 Views
- Strange issue with Fortigate 200E web... 428 Views
- Client DNS registering not working with... 1911 Views
- Unable to unblock site via category... 1049 Views
Labels
-
FortiGate
7,153 -
FortiClient
1,411 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
374 -
FortiSwitch
372 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 887 | |
| 527 | |
| 441 | |
| 151 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.