CirrostratusHi!
GTM datasheet for service providers states that there's support for block dns tunnels.
But I didn't find any solution how to secure dns from such attacks with GTM neither in documentation nor here on devcentral.
Does someone implement this?
Hi zup,
interesting question. :)
From my perspective LTM with DNS Services module combined with an iRule can help to throttle DNS tunneling attempts.
As far as I can say there are multiple ways to encode traffic into valid DNS requests / responses.
But in the bottom-line one has to use specific record types (allowing large resource records), will send a significant number of requests over short time frame and the requests will typically target the same domain or smaller number of domains.
If you build an iRule to track these measures you can make DNS tunneling unattractive in your network.
But I think there is no way to fully prevent it and the iRule will be very resource consuming.
I´m not aware of published iRules. Very likely F5 Professional Services would be able to support you in writing an iRule covering the subject.
Thanks, Stephan
CirrostratusI'm not sure if it is doable or no, I prefer to contact F5 technical support team
CirrostratusThanks guys for your response.
I'm in touch with local FSE and he provided an iRule for tests.
So, it is not built-in functionality but can be done with iRules.
NimbostratusCirrostratusHi Michael,
I'm not sure I can share this irule as it may be someone's intellectual property.
You'd better contact your local F5 FSE, they will probably help you solve your task.
