dnstun - enable DNS tunneling detection in the service queries.
This is a CoreDNS plugin that enabled DNS tunneling
detection within submitted queries. It analyzes payload of the DNS query
and either forward the query to the configured resolver (8.8.8.8 by default),
or returns refuse code.
With dnstun enabled, users are able to detect data exfiltration through DNS
tunnels.
dnstun {
runtime HOST:PORT
detector DETECTOR:VERSION
[mapping forward|reverse]
}-
runtimespecifies the endpoint inHOST:PORTformat to the remote model runtime. This runtime should comply with e.g.tensorcraftHTTP interface. -
detectoris a directive to configure detector. Optionforwardinstructs the plugin to treat higher probability in the second element of prediction tuple as DNS tunnel, whilereversetells that first element in the prediction tuple identifies DNS tunnel. -
mappingis an optional directive to instructs plugin how interpret the response from detector:forwardtreats higher probability in the second element of prediction tuple as DNS tunnel, whilereversetells that first element in the prediction tuple identifies DNS tunnel. Default isforward.
Here are the few basic examples of how to enable DNS tunnelling detection. Usually DNS tunneling detection is turned only for all DNS queries.
Analyze all DNS queries through remote resolver listening on TCP socket.
. {
dnstun {
# Connect to the runtime that stores model and executes it.
runtime 10.240.0.1:5678
# Choose detector and it's version.
detector dns_cnn:latest
}
}One of the possible ways to run experimental resolver is to use docker-compose. In order to run the environment, simply clone this repository and run the following command:
% git clone git@github.com:netrack/dnstun.git
% docker-compose upAfter that, resolver will be accessible at port 53:
% dig @localhost google.com
% dig @localhost q+aJ3on2BA.hidemyself.org.