Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

6066-0 DNS tunneling and SPF

I haven't finished my research, but this signature seems to trigger on the TXT queries used by SPF( Anybody else run into this and were you able to resolve?

Cisco Employee

Re: 6066-0 DNS tunneling and SPF

6066 is looking for a large number of DNS TXT record lookups. This is an actual technique used in DNS tunneling. Looking at the openspf website and what it does, I can see that as a legitimate benign trigger. One option would be to raise the limits on what fires 6066, but doing that may leave you blind to a real DNS tunnel... In this case, it would be best to filter out the hosts, which if I understand the spf project correctly would be your mail servers in this case.


Re: 6066-0 DNS tunneling and SPF

Actually the source is our own internal DNS servers, which is why I'm having such a tough time coming up with a solution that doesn't involve simply turning the sig off. The SPF queries themselves are apparently very identifiable and I was hoping there might be some way to use that:

Queries type TXT, class IN


Type: TXT (Text strings)

Class: IN (0x0001)

Cisco Employee

Re: 6066-0 DNS tunneling and SPF

Thanks for that little bit of detail ...

6066 is in essence a flood type signature ... an excessively large number of DNS TXT record lookups originating from a single source is going to trigger this signature. This may indicate the presence of a DNS tunneling tool in operation. The limits that are set on that signature under normal circumstances would legitimately be "weird". And to make things even more interesting, the "tools" out there that tunnel ip over dns, encode the traffic to look like valid hostnames.

Now you add SPF to the mix ... it's legitimately using dns TXT records to "validate" email. Now that I think a bit more about it (and have some more detail), it would make sense in your case to bump the limits up, especially if you are using SPF. Find your 'normal' new level, and then anything exceeding that could be indicative of tunneling because you'll always have some amount of legitimate dns TXT record traffic flying by, you're just adjusting for the expected amount.

Or, for a more complicated workaround, clone 6066-0. Filter out your DNS server from 6066-0. Raise the limits on the clone signature to reflect the normal level of dns TXT record traffic exhibited due to SPF. This way, 6066-0 is still there and fires on exactly what is was set for, but your DNS erver doesn;t fire the alert. And your cloned 6066 will trigger on the new tuned level of DNS TXT queries.

Just for reference, CmdrTaco posted a nice little writeup on SlashDot a few years back about this.

Cisco Employee

Re: 6066-0 DNS tunneling and SPF

Actually, scratch the cloning idea... this is going to tunnel thru your DNS server anyway, just tune the event count to account for the additional TXT traffic created due to SPF.

the cloning idea might just be overkill.

Community Member

Re: 6066-0 DNS tunneling and SPF

I came across this as well. Are there plans to modify this signature?

I believe SPF is rapidly becoming an anti-spam standard.

CreatePlease to create content