Configuring DNS Tunnel Detection

DNS tunneling is a method of bypassing security controls and exfiltrating data from a targeted organization. A DNS tunnel can be used as a full remote-control channel for a compromised internal host. Capabilities include Operating System (OS) commands, file transfers, or even a full IP tunnel.

SonicOS provides the ability to detect DNS tunneling attacks, displays suspicious clients, and allows you to create white lists for DNS tunnel detection.

When DNS tunneling detection is enabled, SonicOS logs whenever suspicious DNS packets are dropped.

DNS Tunneling settings can be made at the group or unit level.

 

• Configuring DNS Tunnel Detection
• Detected Suspicious Client Information
• Creating White list for DNS Tunnel Detection
• Deleting White List Entries for DNS Tunnel Detection