Enable DNS Tunnel Detection
To enable DNS tunnel detections on SRX Series Firewalls,
configure tunneling option at [edit services
security-metadata-streaming policy dns-policy dns
detections] hierarchy
level.
security-metadata-streaming {
policy dns-policy {
dns {
detections {
tunneling {
action [deny | permit | sinkhole];
fallback-options {
notification {
log;
}
}
inspection-depth value;
notification [log | log-detections];
}
}
}
}
}
Attach the security-metadata-streaming policy to a security firewall policy at zone-level.
set security policies from-zone zone-name to-zone zone-name
application-services security-metadata-streaming-policy
dns-policyUse
the show services security-metadata-streaming dns statistics
command to view the DNS statistics of security metadata streaming
policy.
user@host> show services security-metadata-streaming dns statistics Logical system: root-logical-system DNS session statistics: Cache Hits: 0 Cache Misses: 116 C2 Sessions Permitted: 0 C2 Sessions Dropped: 0 C2 Sessions Sinkholed: 12 DNS submission statistics: Domain Submission Success: 43 Domain Submission Failures: 0 Safe Verdicts Received: 8 C2 Verdicts Received: 12 DNS Tunnels Detected: 0 Latency Fallback Triggered: 0 ATP latency statistics: Average Latency: 63ms Maximum Latency: 119ms Minimum Latency: 39ms sub-50ms response: 52 (6%) sub-100ms response: 4000 (88%) sub-250ms response: 30 (4%) sub-500ms response: 2 (2%)
Use
the show services dns-filtering cache command to view the details
within the DNS cache.
user@host> show services dns-filtering cache Logical System:root-logical-system DNS Cache Refresh Rate:5 Minutes on FPC0 PIC0 Domain-Name, TTL, Prevalence , Verdict, Hitcount a0.com, 480, 1, C2, 1 Logical System:root-logical-system DNS Cache Refresh Rate:5 Minutes on FPC0 PIC1 Domain-Name, TTL, Prevalence , Verdict, Hitcount a10.com, 480, 1, C2, 1
DNS tunnel detection is supported on Junos OS 21.2R1 and later releases.