Hot!Filter DNS TXT record requests

Author
otimme
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/24 02:15:32
  • Status: offline
2017/03/06 09:58:10 (permalink)
0

Filter DNS TXT record requests

Hello all
Is it possible to filter outbound requests to DNS TXT records?
Thanks for any hint.
 
Regards, Oliver
#1

18 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4266
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/06 13:11:45 (permalink)
    0
    Yes but be carefull this is used for SPF lookups.
     
    You will need to do something similar in  this blog but  the service would be  DNS udp/53 and possible  tcp/53
     
    http://socpuppet.blogspot.com/2014/08/how-to-write-ips-signature-to-block.html
     
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/06 23:07:48 (permalink)
    0
    Thanks, thats interesting.
     
    As we do not have a sending SMTP server inhouse (we use Office 365), our machines do not have to do SPF queries ... so we can block all DNS TXT requests.
     
    Oliver
    #3
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/14 08:08:19 (permalink)
    0
    Hello Oliver,
     
    You can add the following custom Application Control signature to filter DNS TXT records requests:
     
    F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )
     
    HoMing
    #4
    emnoc
    Expert Member
    • Total Posts : 4266
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/14 08:55:46 (permalink)
    0
    FWIW
     
    Alternatively
    You could keep DNS inside and  control DNS-TXT queries from the name-server
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #5
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/14 10:23:26 (permalink)
    0
    Your ActiveDirectory needs external DNS access as it acts as DNS for the domain computers. In this function the DC proxies DNS requests from the clients. As long as you don't have an internal SMTP server, I cannot find any reason for DNS TXT requests.
     
    So I decided to filter these requests because they could be used to harm clients with TXT requests wich contains Powershell commands.
     
    Oliver
    #6
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/15 00:00:28 (permalink)
    0
    I've tested this on a FGT-90 with 5.4.4 and it doesent work for me. I created the custom signature and built a custom IPS profile in wich I only look for this signature. The sig. is set to block. A nslookup request for TXT entries of a domain still gives answers:
     
    Standardserver: google-public-dns-a.google.com
    Address: 8.8.8.8
    > dogipot.com
    Server: google-public-dns-a.google.com
    Address: 8.8.8.8
    Nicht autorisierende Antwort:
    Name: dogipot.com
    Address: 40.71.251.231
    > set q=txt
    >
    > dogipot.com
    Server: google-public-dns-a.google.com
    Address: 8.8.8.8
    DNS request timed out.
    timeout was 2 seconds.
    Nicht autorisierende Antwort:
    dogipot.com text =
    "v=spf1 a:outbounds5.obsmtp.com ~all"
    >
     
    Custom signatures should work while the IPS subscription isn't active? (it's a test firewall without subscriptions)
     
    Oliver
    #7
    RobertReynolds
    Bronze Member
    • Total Posts : 22
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/06/29 21:27:23
    • Location: Sydney, Australia
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/15 05:56:09 (permalink)
    0
    Ive tested the custom signature that HoMing provided on 5.4.3 (FG-60D) and 5.6.0 beta3 (FWF-30D) as both an IPS signature and an application control signature and I can't seem to get it block via either. Both devices have active UTM subscriptions.
     
    @ottime I'm guessing its this DNS TXT malware mechanism you are tying to block: http://blog.talosintellig...7/03/dnsmessenger.html
     
     
     
     
    #8
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/15 07:18:19 (permalink)
    0
    Hello Oliver,
     
    Yes, custom signatures will work without an active IPS subscription. The syntax I provided to you earlier was for App Control, not IPS. 
     
    App Control:
    F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --dns.query_type=16; --weight 20; )
     
    IPS:
    F-SBID( --name "DNS.TXT_Custom"; --protocol udp; --service DNS; --flow from_client; --dns.query_type=16; )
     
    The differences between the 2 signatures are the --app_cat and --weight syntax. Can you add it into App Control and set the signature to Block and let me know again?
     
    This is my test:
     
    $ dig -t txt google.com
    ATTENTION: default value of option force_s3tc_enable overridden by environment.
    ; <<>> DiG 9.8.1-P1 <<>> -t txt google.com
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
     
     
    Hi RobertReynolds,
     
    Did you explicitly set the signature to Block on the IPS/App Control sensor? If you did, can you send me a pcap of the DNS TXT query? I will run it through my scanner to see if the signature triggers. Thanks!
     
    HoMing
    #9
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/16 05:06:21 (permalink)
    0
    Hello
    it seems to work ... partly. If I activate the IPS profile with the custom filter, direct TXT queries made with 'nslookup' on a Windows 10 PC with the q option set to TXT will be blocked. If the q option is set to all, the TXT records wil be shown:
     
    > set q=txt
    > aussie.ch
    Server: UnKnown
    Address: 8.8.8.8
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Zeitüberschreitung bei Anforderung an UnKnown.


    > set q=all
    > aussie.ch
    Server: UnKnown
    Address: 8.8.8.8
    Nicht autorisierende Antwort:
    aussie.ch text =
    "v=spf1 include:spf.protection.outlook.com -all"
    aussie.ch text =
    "MS=ms52923579"
    aussie.ch
    primary name server = ns1.weboffice.ch
    responsible mail addr = admin.novatrend.ch
    serial = 2016020900
    refresh = 86400 (1 day)
    retry = 7200 (2 hours)
    expire = 3600000 (41 days 16 hours)
    default TTL = 86400 (1 day)
    aussie.ch nameserver = ns2.weboffice.ch
    aussie.ch nameserver = ns1.weboffice.ch
    aussie.ch internet address = 46.232.178.40
    aussie.ch MX preference = 0, mail exchanger = aussie-ch.mail.protection.outlook.com


     
    #10
    emnoc
    Expert Member
    • Total Posts : 4266
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/16 07:07:58 (permalink)
    0
    if you did what you posted than a q-type ALL is not the same as "--dns.query_type=16"
     
     
     
    to demostrate use the  set querytype
     
     
     
    e.g


    SOCCIBERSEC1>nslookup
    > set querytype=ANY
    >
    > gmail.com
    Server:        10.2.2.1
    Address:    10.2.2.1#53

    Non-authoritative answer:
    Name:    gmail.com
    Address: 172.217.6.165
    gmail.com    nameserver = ns2.google.com.
    gmail.com    nameserver = ns1.google.com.
    gmail.com    nameserver = ns3.google.com.
    gmail.com    nameserver = ns4.google.com.
    gmail.com
        origin = ns2.google.com
        mail addr = dns-admin.google.com
        serial = 150290936
        refresh = 900
        retry = 900
        expire = 1800
        minimum = 60
    gmail.com    mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.
    gmail.com    mail exchanger = 5 gmail-smtp-in.l.google.com.
    gmail.com    mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
    gmail.com    mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
    gmail.com    mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.
    gmail.com    text = "v=spf1 redirect=_spf.google.com"
    gmail.com    has AAAA address 2607:f8b0:4000:804::2005

    Authoritative answers can be found from:
    ns2.google.com    internet address = 216.239.34.10
    ns1.google.com    internet address = 216.239.32.10
    ns3.google.com    internet address = 216.239.36.10
    ns4.google.com    internet address = 216.239.38.10
    >
        
    >
    > set  querytype=TXT
    >
    > gmail.com
    Server:        10.2.2.1
    Address:    10.2.2.1#53

    Non-authoritative answer:
    gmail.com    text = "v=spf1 redirect=_spf.google.com"

    Authoritative answers can be found from:
    >


     
     
    Your rule will work & block only the later and not former request.
     
    ;)
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #11
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/16 07:13:17 (permalink)
    0
    Hello Oliver,
     
    emnoc is right, the earlier signature detects only querytype=TXT. I overlooked the scenario of getting a response for the TXT querytype via ANY. Here's the signature for it:
     
    App Control:
     
    F-SBID( --name "DNS.Any_Custom"; --protocol udp; --app_cat 12; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; --weight 20; )
     
    IPS:
     
    F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )
     
    Sorry about that. 
    HoMing
    #12
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/16 08:12:10 (permalink)
    0
    Hello HoMing
     
    thanks for your examples. The IPS example did not work here, I got a syntax error:
     
    # set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"
     
    command parse error before '00|; --distance 4,packet; --within
    Command fail. Return code -61
     
    Regards, Oliver
    #13
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/16 08:29:44 (permalink)
    0
    Hello Oliver,
     
    set signature "F-SBID( --name "DNS.Any_Custom"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !"|00 00|"; --distance 4,packet; --within 2,packet; --pattern "|00 00 00 00 00 00|"; --distance 6,packet; --within 6,packet; --pattern "|00 00 FF|"; --distance 12,packet; --within 260,packet; )"
     
    The signatures I provided were meant to be added on the GUI. On the CLI, you have to unescape those special characters.
     
    set signature "F-SBID( --attack_id 2554; --name \"DNS.Any_Custom\"; --protocol udp; --service DNS; --flow from_client; --byte_test 2,>,0,0; --byte_test 1,~,0x80,2; --pattern !\"|00 00|\"; --distance 4,packet; --within 2,packet; --pattern \"|00 00 00 00 00 00|\"; --distance 6,packet; --within 6,packet; --pattern \"|00 00 FF|\"; --distance 12,packet; --within 260,packet; )"
     
    #14
    otimme
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:15:32
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/17 00:43:05 (permalink)
    0
    Hello
     
    yes the escaped chars, I shoud have know ... But anyway it also doesn't work. With q=any I still get the TXT records.
     
    Oliver
    #15
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/17 07:03:38 (permalink)
    0
    Oliver,
     
    Can you do a packet capture with Wireshark when you send the DNS request through the command line? I would like to check the content and run it through my environment. Thanks.
     
    HoMing
    #16
    emnoc
    Expert Member
    • Total Posts : 4266
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/17 08:18:26 (permalink)
    0
    Suggestion
     
    That signature will not work no matter how much you    tweak. The  request will always pass the TXT. If you had   a internal DNS server,  and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
     
    Run that request thru   tshark with  dns  filters and you will see why it will not work.
     
     
    dns.qry.type   will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to  control it at the outputed response if you want to mangle the DNS answer.
     
     
     
    Ken

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #17
    hmtay_FTNT
    Gold Member
    • Total Posts : 190
    • Scores: 24
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/17 10:14:46 (permalink)
    0
    >>That signature will not work no matter how much you    tweak.
    >>Run that request thru   tshark with  dns  filters and you will see why it will not work.
    >>
    >>dns.qry.type   will be 255 "any *" wildcards so you can't filter based on the client request in that fashion you need to  control >>it at the outputed response if you want to mangle the DNS answer.
     
    If the IPS/Application Control module scans the packet and the pattern-checks match the packet, the signature will block the packet. Like the previous signature which blocks dns.query_type=16, blocking dns.query_type=255 will block the "ANY" type. To allow DNS requests to go out, users would have to send packets that are not type=16 or 255. One catch is if there are other query_types that could force the DNS server to reveal TXT records, they have to be blocked too. 
     
    >>If you had   a internal DNS server,  and forced all users to use it, than you might be able to control or filter the DNS request.answer to the clients.
     
    This, in my opinion, is the best way to handle this problem.
     
    HoMing
    #18
    emnoc
    Expert Member
    • Total Posts : 4266
    • Scores: 237
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: Filter DNS TXT record requests 2017/03/17 10:44:38 (permalink)
    0
    Windows for example has the means to control DNS qry.types based on the client. It would be more practical to  set a specific dhcp scope or client range and restrict and control that scope via MSad=domains services.
     
    Even with qry.type ANY you have to be very careful and aware on what it can break. Since a qry type of ANY is just that , the response could be little or a lot of ;)
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #19
    Jump to:
    © 2017 APG vNext Commercial Version 5.5