dnstun - enable DNS tunneling detection in the service queries.
This is a CoreDNS plugin that enabled DNS tunneling
detection within submitted queries. It analyzes payload of the DNS query
and either forward the query to the configured resolver (8.8.8.8
by default),
or returns refuse code.
With dnstun
enabled, users are able to detect data exfiltration through DNS
tunnels.
dnstun {
runtime HOST:PORT
detector DETECTOR:VERSION
[mapping forward|reverse]
}
-
runtime
specifies the endpoint inHOST:PORT
format to the remote model runtime. This runtime should comply with e.g.tensorcraft
HTTP interface. -
detector
is a directive to configure detector. Optionforward
instructs the plugin to treat higher probability in the second element of prediction tuple as DNS tunnel, whilereverse
tells that first element in the prediction tuple identifies DNS tunnel. -
mapping
is an optional directive to instructs plugin how interpret the response from detector:forward
treats higher probability in the second element of prediction tuple as DNS tunnel, whilereverse
tells that first element in the prediction tuple identifies DNS tunnel. Default isforward
.
Here are the few basic examples of how to enable DNS tunnelling detection. Usually DNS tunneling detection is turned only for all DNS queries.
Analyze all DNS queries through remote resolver listening on TCP socket.
. {
dnstun {
# Connect to the runtime that stores model and executes it.
runtime 10.240.0.1:5678
# Choose detector and it's version.
detector dns_cnn:latest
}
}
One of the possible ways to run experimental resolver is to use docker-compose. In order to run the environment, simply clone this repository and run the following command:
% git clone [email protected]:netrack/dnstun.git
% docker-compose up
After that, resolver will be accessible at port 53
:
% dig @localhost google.com
% dig @localhost q+aJ3on2BA.hidemyself.org.