Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
0
Helpful
0
Replies

Blocking DNS tunnels

Stuart Patton
Level 1
Level 1

‎12-05-2012 08:26 AM - edited ‎03-11-2019 05:32 PM

Hello,

Just wondered if anyone else had successfully blocked DNS tunnels (such as NSTX or iodine) from working via DNS inspection on ASA 8.3 or newer?

Whilst there is a wealth of information on how to set these up to bypass security restrictions, there is very little realistic advice found on the internet on how to block them.  The only feasible solution I've found proposed is to run a split-horizon DNS architecture, so internal DNS servers can only resolve internal addresses with no forwarding, and leave external resolution to proxy servers and force all internal web clients to use these in a traditional way (eg non-transparently).

Whilst most of the IP over DNS tunnel tools use TXT records, this doesn't have to be the case and that the most likely way to identify (and therefore block) would be based on statistical analysis of DNS traffic, eg unusually large number of subdomain lookups, unusually large subdomain lengths, unusually high numbers of requests etc, which of course ASA cannot do.  It doesn't seem to be a million miles away from how ASA can detect and shun scanning attacks though...

Ideas/thoughts/suggestions please!!

Thanks,

Stuart

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card