I am going to write a script that detects DNS tunneling.
First the script checks all DNS request packets to see the length.
If the length of a DNS request packet exceeds a threshold, say, 255 bytes, then this packet will be sent for DPI to check the requested domain name.
The problem is the “dns_request” event does not provide packet length, which means, for every DNS request, I have to check the requested domain name. This is expensive.
If I use “raw_packet” or “new_packet” events, then every new packet will trigger an event, which is also expensive.
Is there a way that only triggers an event for a DNS request packet (e.g., based on the protocol and port number), and I can determine whether DPI is necessary for this DNS request packet based on its length?