Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Goose
Explorer

DNS Tunneling IPS

I understand the basics of what DNS tunneling is and have recently enabled this IPS protection in our Threat Prevention Profile. What I have been unable to find is exactly how this IPS protection actually works. What is it doing and looking for to stop a DNS tunnel?

Secondarily I would like to know how to test this but first need to know what this protection is doing in order to accomplish that.

Thank you.

Goose

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

A large number of specific types of queries will trigger the DNS Tunneling protection.
Unfortunately, we do not publicly share the precise details of how we enforce this protection.

0 Kudos
Goose
Explorer

I understand and that makes some sense. Can you point me toward and one particular way that I could test that it is indeed working? I recall seeing in one post (granted it was a particular upgrade scenario) that it was not working. I would just like to be able to trigger and verify. Thank you.

0 Kudos
PhoneBoy
Admin
Admin

Nothing I can share publicly.
Recommend reaching out to your local Check Point SE.

0 Kudos
Vladimir
Champion
Champion

You can try dns2tcp tool in Kali Linux to test it: https://tools.kali.org/maintaining-access/dns2tcp

I am not sure how many packets it should see to be triggered though.

0 Kudos
Goose
Explorer

Thank you Vladimir. I will try and let you know. 

0 Kudos