On Fri, 23 May 2025, Grant Taylor via bind-users wrote:
On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention embedded
?
I don't think there is anything that I would describe that way. But there
may be some rate limiting option(s) that you could use to at least cripple
using DNS queries & replies as a tunnel mechanism.
Yes, exactly. Generally speaking and it comes with its own constellation
of adversary responses but failing softly, or failing to brokenness: I
think this is preferable to failing outright.
If you fail in an outright, reproducible, measurable fashion you give your
opponent predictability and confidence. As a defender you want to
undermine that and look like an under-resourced, poorly administered
network that somehow, we don't know exactly how but somehow: it's just
bad luck. There's a crappy network and every time your adversary messes
with it they just have inexplicable bad luck.
The footnotes would be longer than what I've written. File it generally
under "chaos engineering".
Dnstap offers application-level logging (DNS is an application protocol
along with a wire protocol) and you can combine that with e.g. fail2ban
and/or RPZ, or other things if it keeps you up at night and you like
picking the legs off of web spiders.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
