I am going to write a script that detects DNS tunneling.
First the script checks all DNS request packets to see the length.
If the length of a DNS request packet exceeds a threshold, say, 255 bytes, then this packet will be sent for DPI to check the requested domain name.
The problem is the “dns_request” event does not provide packet length, which means, for every DNS request, I have to check the requested domain name. This is expensive.
If I use “raw_packet” or “new_packet” events, then every new packet will trigger an event, which is also expensive.
Is there a way that only triggers an event for a DNS request packet (e.g., based on the protocol and port number), and I can determine whether DPI is necessary for this DNS request packet based on its length?
But I am worrying about the cost of DPI, since dns_request event contains dns_msg, query string and many other information that are not necessary when I only look at the length of the packet.
For most of the DNS request packets, I would like to check the length. Only those packets with greater length will be checked for querying strings.
Can I specify a filter that only checks the length of DNS request, like BPF, to the live traffic in my policy script?