Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
5
Helpful
5
Replies

6066-0 DNS tunneling and SPF

mhellman
Level 7
Level 7

‎02-17-2006 02:51 PM - edited ‎03-10-2019 01:53 AM

I haven't finished my research, but this signature seems to trigger on the TXT queries used by SPF(http://www.openspf.org/). Anybody else run into this and were you able to resolve?

Labels:
0 Helpful
5 Replies 5

wsulym
Cisco Employee
Cisco Employee

‎02-19-2006 08:35 PM

6066 is looking for a large number of DNS TXT record lookups. This is an actual technique used in DNS tunneling. Looking at the openspf website and what it does, I can see that as a legitimate benign trigger. One option would be to raise the limits on what fires 6066, but doing that may leave you blind to a real DNS tunnel... In this case, it would be best to filter out the hosts, which if I understand the spf project correctly would be your mail servers in this case.

0 Helpful

mhellman
Level 7
Level 7
In response to wsulym

‎02-20-2006 06:30 AM

Actually the source is our own internal DNS servers, which is why I'm having such a tough time coming up with a solution that doesn't involve simply turning the sig off. The SPF queries themselves are apparently very identifiable and I was hoping there might be some way to use that:

Queries

124.229.193.82.v1x2v.rf-adfe2ko9.senderbase.org: type TXT, class IN

Name: 124.229.193.82.v1x2v.rf-adfe2ko9.senderbase.org

Type: TXT (Text strings)

Class: IN (0x0001)

wsulym
Cisco Employee
Cisco Employee
In response to mhellman

‎02-21-2006 11:21 AM

Thanks for that little bit of detail ...

6066 is in essence a flood type signature ... an excessively large number of DNS TXT record lookups originating from a single source is going to trigger this signature. This may indicate the presence of a DNS tunneling tool in operation. The limits that are set on that signature under normal circumstances would legitimately be "weird". And to make things even more interesting, the "tools" out there that tunnel ip over dns, encode the traffic to look like valid hostnames.

Now you add SPF to the mix ... it's legitimately using dns TXT records to "validate" email. Now that I think a bit more about it (and have some more detail), it would make sense in your case to bump the limits up, especially if you are using SPF. Find your 'normal' new level, and then anything exceeding that could be indicative of tunneling because you'll always have some amount of legitimate dns TXT record traffic flying by, you're just adjusting for the expected amount.

Or, for a more complicated workaround, clone 6066-0. Filter out your DNS server from 6066-0. Raise the limits on the clone signature to reflect the normal level of dns TXT record traffic exhibited due to SPF. This way, 6066-0 is still there and fires on exactly what is was set for, but your DNS erver doesn;t fire the alert. And your cloned 6066 will trigger on the new tuned level of DNS TXT queries.

Just for reference, CmdrTaco posted a nice little writeup on SlashDot a few years back about this.

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to wsulym

‎02-21-2006 11:50 AM

Actually, scratch the cloning idea... this is going to tunnel thru your DNS server anyway, just tune the event count to account for the additional TXT traffic created due to SPF.

the cloning idea might just be overkill.

0 Helpful

usanitary
Level 1
Level 1
In response to wsulym

‎04-26-2007 06:59 AM

I came across this as well. Are there plans to modify this signature?

I believe SPF is rapidly becoming an anti-spam standard.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card