I started a Bro script a while ago that I haven’t had time to develop much beyond the starter framework. The script is meant to do the below. I started working on it again but I’d welcome any help/feedback anyone would be willing to offer. It does try to do some basic DNS tunneling detection but it needs more intelligence built into it. For DNS tunneling the script looks at the query size and the return message size and then uses sumstats to alert on any host that crosses a specified threshold of supicious DNS reqs/msgs seen.
I have seen that there are a lot of services out there conducting large hostname queries which creates some FPs.
Raises notices for odd or suspicious DNS traffic
- Detects DNS on non-standard ports
- Attempts to detect DNS tunneling
- intelligence for different query types — TO DO
- statistical analysis’ — TO DO
- Detect DNS responses with interesting IPs — TO DO
For DNS tunneling detection, look for long qnames with few labels, very low TTLs, odd qclasses and types (like null), and response rr’s with high ratios of ASCII to non ASCII bytes.
You can also look for bursty queries from a single orig_h for a single qname (likely with many different subdomains).
Remember that both the client software issuing queries and the name server software issuing responses need to know how to decode tunneling queries. Check out the Iodine protocol specification for more info.
In my experience, detecting DNS tunneling with Anthony's first
suggestion may be the easiest and most effective way. I have a script
that does that and it's very high quality (no false positives except
for anti-virus DNS activity, which is easily whitelisted).
In my experience, detecting DNS tunneling with Anthony's first
suggestion may be the easiest and most effective way. I have a script
that does that and it's very high quality (no false positives except
for anti-virus DNS activity, which is easily whitelisted).
For those interested in this, we developed a general framework for detecting
surreptitious communication over DNS: