Thanks, thats interesting.

As we do not have a sending SMTP server inhouse (we use Office 365), our machines do not have to do SPF queries ... so we can block all DNS TXT requests.

Oliver

Hello Oliver,

You can add the following custom Application Control signature to filter DNS TXT records requests:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )

HoMing

FWIW

Alternatively

You could keep DNS inside and  control DNS-TXT queries from the name-server

Your ActiveDirectory needs external DNS access as it acts as DNS for the domain computers. In this function the DC proxies DNS requests from the clients. As long as you don't have an internal SMTP server, I cannot find any reason for DNS TXT requests.

So I decided to filter these requests because they could be used to harm clients with TXT requests wich contains Powershell commands.

Oliver

I've tested this on a FGT-90 with 5.4.4 and it doesent work for me. I created the custom signature and built a custom IPS profile in wich I only look for this signature. The sig. is set to block. A nslookup request for TXT entries of a domain still gives answers:

Standardserver: google-public-dns-a.google.com Address: 8.8.8.8

> dogipot.com Server: google-public-dns-a.google.com Address: 8.8.8.8

Nicht autorisierende Antwort: Name: dogipot.com Address: 40.71.251.231

> set q=txt > > dogipot.com Server: google-public-dns-a.google.com Address: 8.8.8.8

DNS request timed out. timeout was 2 seconds. Nicht autorisierende Antwort: dogipot.com text =

"v=spf1 a:outbounds5.obsmtp.com ~all" >

Custom signatures should work while the IPS subscription isn't active? (it's a test firewall without subscriptions)

Oliver

Hello Oliver,

Yes, custom signatures will work without an active IPS subscription. The syntax I provided to you earlier was for App Control, not IPS. 

App Control:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )

IPS:

F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --service DNS; --flow from_client; --dns.query_type=16; )

The differences between the 2 signatures are the --app_cat and --weight syntax. Can you add it into App Control and set the signature to Block and let me know again?

This is my test:

$ dig -t txt google.com ATTENTION: default value of option force_s3tc_enable overridden by environment.

; <<>> DiG 9.8.1-P1 <<>> -t txt google.com ;; global options: +cmd ;; connection timed out; no servers could be reached

Hi RobertReynolds,

Did you explicitly set the signature to Block on the IPS/App Control sensor? If you did, can you send me a pcap of the DNS TXT query? I will run it through my scanner to see if the signature triggers. Thanks!

HoMing

Hello

it seems to work ... partly. If I activate the IPS profile with the custom filter, direct TXT queries made with 'nslookup' on a Windows 10 PC with the q option set to TXT will be blocked. If the q option is set to all, the TXT records wil be shown:

> set q=txt > aussie.ch Server: UnKnown Address: 8.8.8.8

DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Zeitüberschreitung bei Anforderung an UnKnown.

> set q=all > aussie.ch Server: UnKnown Address: 8.8.8.8

Nicht autorisierende Antwort: aussie.ch text =

"v=spf1 include:spf.protection.outlook.com -all" aussie.ch text =

"MS=ms52923579" aussie.ch primary name server = ns1.weboffice.ch responsible mail addr = admin.novatrend.ch serial = 2016020900 refresh = 86400 (1 day) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 86400 (1 day) aussie.ch nameserver = ns2.weboffice.ch aussie.ch nameserver = ns1.weboffice.ch aussie.ch internet address = 46.232.178.40 aussie.ch MX preference = 0, mail exchanger = aussie-ch.mail.protection.outlook.com