Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

DNS Tunnel Detection Overview

DNS Tunneling is a cyber-attack method that encodes the data of other programs or protocols in DNS queries and responses. It indicates that DNS traffic is likely to be subverted to transmit data of another protocol or malware beaconing.

When a DNS packet is detected as tunneled, the SRX series device can take permit, deny or sinkhole action.

DNS Tunneling detection is available only with ATP Cloud premium license.

SRX Series device exports the tunneling metadata to Juniper ATP Cloud. To view the DNS tunneling detections, log in to Juniper ATP Cloud Web portal and navigate to Monitor > DNS. Click on the Tunnel tab to view the DNS tunnel detections as shown in Figure 1. You can click on a domain name to view more details of the hosts that have contacted the domain.

Figure 1: DNS Tunnel Page DNS Tunnel Page

DNS Tunneling Procedure

Here's how DNS tunneling works:

  1. A cyber attacker registers a malicious domain, for example, “badsite.com”.
  2. The domain’s name server points to the attacker’s server, where DNS Tunneling malware program is running.
  3. DNS Tunnel client program running on the infected host generates DNS requests to the malicious domain.
  4. DNS resolver routes the query to the attacker’s command-and-control server.
  5. Connection is established between victim and attacker through DNS resolver.
  6. This tunnel can be used to exfiltrate data or for other malicious purposes.

Enable DNS Tunnel Detection on SRX Series Devices

To enable DNS tunnel detections on SRX Series devices, configure tunneling option at [edit services security-metadata-streaming policy dns-policy dns detections] hierarchy level.

Attach the security-metadata-streaming policy to a security firewall policy at zone-level.

set security policies from-zone zone-name to-zone zone-name application-services security-metadata-streaming-policy dns-policy

Use the show services security-metadata-streaming dns statistics command to view the DNS statistics of security metadata streaming policy.

Use the show services dns-filtering cache command to view the details within the DNS cache.