DNS Tunneling
Working on the project to create a secure environment for PII data brought lots of challenges onto the table.
One of the issues that has been identified as a result of Penetration test, was ability to use DNS tunneling to bring malware on to the client workstation running in Azure, despite the fact that they don’t have Web Browsing Internet Access enabled. It used DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely as DNS TXT records.
Environment has been configured with “transparent” proxy, so there was no easy way to prevent Domain Name resolution on the clients.
To test the vulnerability it is possible to use the MDSec tool PowerDNS to download and install tools and execute scripts on the endpoints, despite the lack of internet access.
What to do?
Preparing to my 70-743: Upgrading Your Skills to MCSA: Windows Server 2016 exam – I have learned about new cool feature called “DNS Policies”.
This feature allows you to create policies that can limit query types client can run against your DNS servers.
Luckily, all our Domain Controllers and DNS servers were running Windows Server 2016.
A little bit of scripting:
To create such a filter we would need two PowerShell CMDlets:
Add-DnsServerClientSubnet
– used to create a definition of the Subnet for the clients you want to apply filter against.Add-DnsServerQueryResolutionPolicy
– used to create a policy to be applied against subnet.
As we may have multiple (2 in my case) DNS servers, I have used the following script to configure DNS filter for subnet “MRV-SN-APP-001” (I used Azure Subnet Name as Identifier for the definition, but you can use any) that has CIDR ‘172.20.0.0/24’ to limit DNS query type to: A,CNAME and SRV.
If you have Active Directory Domain – this would be minimum amount of the query type required for environment to function properly.
It is possible to be more specific, allowing all type of queries for an internal domain and then filtering requests for the others.
Script:
[array]$DNSservers = @('MRV-SH-ADDS-01', 'MRV-SH-ADDS-02')
Foreach ($Server in $DNSservers)
{
Add-DnsServerClientSubnet -Name "MRV-SN-APP-001" -IPv4Subnet '172.20.0.0/24' -PassThru -ComputerName $Server
Add-DnsServerQueryResolutionPolicy -Name "AllowClientListQType" -Action IGNORE -QType "NE,A,CNAME,SRV" -PassThru -ClientSubnet "EQ, MRV-SN-APP-001"
-ComputerName $Server
}
21st December 2017 at 3:23 pm
I’m not sure еxactly why but this ѕite is loading very
slow for me. Is anyօne else having this issue or is it a issue on my end?
I’ll cheсk back lаter on and see if the problem stiⅼl exists.
28th December 2017 at 4:31 pm
There might be performance issues, that I will look into.