6066 is looking for a large number of DNS TXT record lookups. This is an actual technique used in DNS tunneling. Looking at the openspf website and what it does, I can see that as a legitimate benign trigger. One option would be to raise the limits on what fires 6066, but doing that may leave you blind to a real DNS tunnel... In this case, it would be best to filter out the hosts, which if I understand the spf project correctly would be your mail servers in this case.
Actually the source is our own internal DNS servers, which is why I'm having such a tough time coming up with a solution that doesn't involve simply turning the sig off. The SPF queries themselves are apparently very identifiable and I was hoping there might be some way to use that:
188.8.131.52.v1x2v.rf-adfe2ko9.senderbase.org: type TXT, class IN
6066 is in essence a flood type signature ... an excessively large number of DNS TXT record lookups originating from a single source is going to trigger this signature. This may indicate the presence of a DNS tunneling tool in operation. The limits that are set on that signature under normal circumstances would legitimately be "weird". And to make things even more interesting, the "tools" out there that tunnel ip over dns, encode the traffic to look like valid hostnames.
Now you add SPF to the mix ... it's legitimately using dns TXT records to "validate" email. Now that I think a bit more about it (and have some more detail), it would make sense in your case to bump the limits up, especially if you are using SPF. Find your 'normal' new level, and then anything exceeding that could be indicative of tunneling because you'll always have some amount of legitimate dns TXT record traffic flying by, you're just adjusting for the expected amount.
Or, for a more complicated workaround, clone 6066-0. Filter out your DNS server from 6066-0. Raise the limits on the clone signature to reflect the normal level of dns TXT record traffic exhibited due to SPF. This way, 6066-0 is still there and fires on exactly what is was set for, but your DNS erver doesn;t fire the alert. And your cloned 6066 will trigger on the new tuned level of DNS TXT queries.
Just for reference, CmdrTaco posted a nice little writeup on SlashDot a few years back about this.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...