DNS Tunneling

Working on the project to create a secure environment for PII data brought lots of challenges onto the table.

One of the issues that has been identified as a result of  Penetration test, was ability to use DNS tunneling to bring malware on to the client workstation running in Azure, despite the fact that they don’t have Web Browsing Internet Access enabled. It used DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely as DNS TXT records.

Horce

Environment has been configured with “transparent” proxy, so there was no easy way to prevent Domain Name resolution on the clients.

To test the vulnerability it is possible to  use the MDSec tool PowerDNS to download and install tools and execute scripts on the endpoints, despite the lack of internet access.

What to do?

Preparing to my 70-743: Upgrading Your Skills to MCSA: Windows Server 2016 exam – I have learned about new cool feature called “DNS Policies”.

This feature allows you to create policies that can limit query types client can run against your DNS servers.

Luckily, all our Domain Controllers and DNS servers were running Windows Server 2016.

A little bit of scripting:

To create such a filter we would need two PowerShell CMDlets:

As we may have multiple (2 in my case) DNS servers, I have used the following script to configure DNS filter for subnet “MRV-SN-APP-001” (I used Azure Subnet Name as Identifier for the definition, but you can use any) that has CIDR ‘172.20.0.0/24’ to limit DNS query type to:  A,CNAME and SRV.

If you have Active Directory Domain – this would be minimum amount of the query type required for environment to function properly.

It is possible to be more specific, allowing all type of queries for an internal domain and then filtering requests for the others.

Script:

[array]$DNSservers = @('MRV-SH-ADDS-01', 'MRV-SH-ADDS-02')
Foreach ($Server in $DNSservers)
{
    Add-DnsServerClientSubnet -Name "MRV-SN-APP-001" -IPv4Subnet '172.20.0.0/24' -PassThru -ComputerName $Server 
    Add-DnsServerQueryResolutionPolicy -Name "AllowClientListQType" -Action IGNORE -QType "NE,A,CNAME,SRV" -PassThru -ClientSubnet "EQ, MRV-SN-APP-001" 
 -ComputerName $Server 
}