Hello all
Is it possible to filter outbound requests to DNS TXT records?
Thanks for any hint.
Regards, Oliver
if you did what you posted than a q-type ALL is not the same as "--dns.query_type=16"
to demostrate use the set querytype
e.g
SOCCIBERSEC1>nslookup
> set querytype=ANY > > gmail.com Server: 10.2.2.1 Address: 10.2.2.1#53 Non-authoritative answer: Name: gmail.com Address: 172.217.6.165 gmail.com nameserver = ns2.google.com. gmail.com nameserver = ns1.google.com. gmail.com nameserver = ns3.google.com. gmail.com nameserver = ns4.google.com. gmail.com origin = ns2.google.com mail addr = dns-admin.google.com serial = 150290936 refresh = 900 retry = 900 expire = 1800 minimum = 60 gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com. gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com. gmail.com text = "v=spf1 redirect=_spf.google.com" gmail.com has AAAA address 2607:f8b0:4000:804::2005 Authoritative answers can be found from: ns2.google.com internet address = 216.239.34.10 ns1.google.com internet address = 216.239.32.10 ns3.google.com internet address = 216.239.36.10 ns4.google.com internet address = 216.239.38.10 > > > set querytype=TXT > > gmail.com Server: 10.2.2.1 Address: 10.2.2.1#53 Non-authoritative answer: gmail.com text = "v=spf1 redirect=_spf.google.com" Authoritative answers can be found from: >
Your rule will work & block only the later and not former request.
;)
Ken
PCNSE
NSE
StrongSwan
Hello Oliver,
emnoc is right, the earlier signature detects only querytype=TXT. I overlooked the scenario of getting a response for the TXT querytype via ANY. Here's the signature for it:
App Control:
F-SBID( --name "DNS.Any_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; --weight 20; )
IPS:
F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )
Sorry about that.
HoMing
Hello HoMing
thanks for your examples. The IPS example did not work here, I got a syntax error:
[size="3"]# set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"[/size]
command parse error before '00|; --distance 4,packet; --within Command fail. Return code -61
Regards, Oliver
Hello Oliver,
set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"
The signatures I provided were meant to be added on the GUI. On the CLI, you have to unescape those special characters.
set signature "F-SBID( --attack_id 2554; --name \"DNS.Any_Custom\"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !\"|00 00|\"; --distance 4,packet; --within 2,packet; --pattern \"|00 00 00 00 00 00|\"; --distance 6,packet; --within 6,packet; --pattern \"|00 00 FF|\"; --distance 12,packet; --within 260,packet; )"
Hello
yes the escaped chars, I shoud have know ... But anyway it also doesn't work. With q=any I still get the TXT records.
Oliver
Oliver,
Can you do a packet capture with Wireshark when you send the DNS request through the command line? I would like to check the content and run it through my environment. Thanks.
HoMing
Suggestion
That signature will not work no matter how much you tweak. The request will always pass the TXT. If you had a internal DNS server, and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
Run that request thru tshark with dns filters and you will see why it will not work.
dns.qry.type will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to control it at the outputed response if you want to mangle the DNS answer.
Ken
PCNSE
NSE
StrongSwan
>>That signature will not work no matter how much you tweak.
>>Run that request thru tshark with dns filters and you will see why it will not work. >> >>dns.qry.type will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to control >>it at the outputed response if you want to mangle the DNS answer.
If the IPS/Application Control module scans the packet and the pattern-checks match the packet, the signature will block the packet. Like the previous signature which blocks dns.query_type=16, blocking dns.query_type=255 will block the "ANY" type. To allow DNS requests to go out, users would have to send packets that are not type=16 or 255. One catch is if there are other query_types that could force the DNS server to reveal TXT records, they have to be blocked too.
>>If you had a internal DNS server, and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
This, in my opinion, is the best way to handle this problem.
HoMing
Windows for example has the means to control DNS qry.types based on the client. It would be more practical to set a specific dhcp scope or client range and restrict and control that scope via MSad=domains services.
Even with qry.type ANY you have to be very careful and aware on what it can break. Since a qry type of ANY is just that , the response could be little or a lot of ;)
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1064 | |
889 | |
527 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.