Skip to content

Tunneling detection and mitigation

Defender can detect and mitigate various type of DNS tunnels and exfiltration attempts. Known tunneling methods can be mitigated via specific settings.

NULL queries can be completely blocked via tunneling.block_null_queries, with the response configurable via tunneling.rcode.

For NULL class and ANY class queries, UDP queries above a configurable tunneling.maximum_qps_none_class_over_udp and tunneling.maximum_qps_any_class_over_udp amount of queries per second are getting a truncated (TC=1) response, asking the client to retry over TCP. TCP queries above a configurable tunneling.maximum_qps_none_class_over_tcp and tunneling.maximum_qps_any_class_over_tcp amount of queries per second are getting a response configurable via tunneling.rcode. The number of queries per second limit can be global or per client, depending on the value of tunneling.limit_qps_per_client If the limit is per-client, IP addresses can be grouped based on netmasks: see global.ipv4_mask for IPv4 addresses and global.ipv6_mask for IPv6 ones.

New methods can be mitigated by restricting the total bandwidth that a given client can elicit from a server.

---
- type: global
  ipv4_mask: 32
  ipv6_mask: 64
- type: tunneling
  rcode: "refused"
  block_null_queries: true
  maximum_qps_none_class_over_udp: 5
  maximum_qps_none_class_over_tcp: 10
  maximum_qps_any_class_over_udp: 5
  maximum_qps_any_class_over_tcp: 10
  limit_qps_per_client: true

Please refer to the tunneling settings reference for the complete description of the settings.