top of page
Search
latashiastraughan7

Windows DNS – Block Queries or Domains using Firewall Rules



Log in to Windows Server 2016 with an account that has DNS administrator permissions and open a PowerShell prompt. The policy below will create a filter that blocks resolution of the malware.com domain. Note the use of IGNORE for the -Action parameter, and EQ is a logical operator that means equals.




Windows DNS – how to block queries or domains




In all cases, the DNS queries which are defined to move through the tunnel, go to any DNS servers which are defined by ASA. If there are no DNS servers defined by the ASA, then the DNS settings are blank for the tunnel. If you do not have split DNS defined, then all of the DNS queries are sent to the DNS servers which are defined by the ASA. However, the behaviors that are described in this document can be different, depending upon the Operating System (OS).


Refer to Cisco bug ID CSCtn14578, currently resolved on Microsoft Windows only, as of Version 3.0(4235). The solution implements true split DNS, it strictly queries the configured domain names that matches and are allowed to the VPN DNS servers. All other queries are only allowed to other DNS servers, such as those configured on the physical adapter(s).


This issue is due to the native DNS client that attempts to send DNS queries via the physical adapter, which AnyConnect blocks (given the tunnel-all configuration). This leads to a name resolution delay that can be significant, especially if a large number of DNS suffixes are pushed by the headend. The DNS client must walk through all of the queries and available DNS servers until it receives a positive response.


On Microsoft Windows systems, DNS settings are per-interface. If split tunneling is used, DNS queries can fall back to the physical adaptor DNS servers after they fail on the VPN tunnel adaptor. If split tunneling without split DNS is defined, then both internal and external DNS resolution works because it falls back to the external DNS servers.


DNS requests, which matches with the split-dns domains are allowed to tunnel DNS servers, but are not allowed to other DNS servers. To prevent such internal DNS queries from leaking out the tunnel, the AnyConnect driver responds with "no such name" if the query is sent to other DNS servers. Therefore, the split-dns domains can only be resolved via tunnel DNS servers.


On Macintosh systems, the DNS settings are global. If split tunneling is used, but split DNS is not used, it is not possible for the DNS queries to reach DNS servers outside of the tunnel. You can only resolve internally, not externally.


AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, which takes precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as documented in CSCtf20226 . To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.


AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, taking precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as documented in CSCtf20226 . To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.


The iPhone is the complete opposite of the Macintosh system and is not similar to Microsoft Windows. If split tunneling is defined but split DNS is not defined, then DNS queries exit through the global DNS server that is defined. For example, split DNS domain entries are mandatory for internal resolution. This behavior is documented in Cisco bug ID CSCtq09624 and is fixed in Version 2.5.4038 for the Apple iOS AnyConnect client.


If the dns.google web site is blocked or shows very different results,first check that you areusing Google Public DNS. If you are,different answers could be due to DNS hijacking by a captive Wi-Fi portal,malware on your router, your ISP, or its networks.See the troubleshooting directions for blocking and hijacking.


While tools like traceroute and ping report network latencies,they do not measure the speed of DNS resolution,and are only helpful when trying to find the location of delays,or to confirm network reachability.Google does not block ICMP or random UDP to Google Public DNS IP addresses,but there are rate limits on ICMP error replies,and ICMP traffic may be de-prioritized within Google networks.


If a DNS testing tool shows high levels of unanswered queries(and especially if ping and traceroute do not show comparable drop rates),check whether your IP address is generating more than 1000 queries per second,which can trigger rate limiting.If so, you can request a rate limit increase on our issue tracker.


If the first command's output shows "Thanks for using Google Public DNS."your UDP queries are reaching Google Public DNS; if the second command's outputincludes locations.publicdns.goog. your TCP queries are reaching Google too.


If the output shows NXDOMAIN then you are reaching another DNS resolver.If the output shows a timeout, DNS queries to Google Public DNS are blocked.Use the UDP or DNS traceroute commands in the following sectionto see where hijacking or blocking may be happening.


Question: Is there and if yes, what is, the easiest way to prevent DNS responses for specific domain DNS requests? Reason behind that question is, that all those malicious DNS requests are for the same domain but from varying IPs. So IP blocking is not really that effective.


Ideally, you would setup an external resolver for your public resolver (used to resolve all resources that must be accessed externally: MX, web server, etc), use the windows DNS server only for your internal network and block all incoming DNS queries at your perimeter.


There is one thing, however, that you simply cannot prevent: as soon as you have a DNS server that answers to external queries, even if it's only for your own domain, it can be used in a DNS bounce attack. You can configure it to prevent DNS amplification but not to prevent simple bounces. It shouldn't be a big deal unless you're getting DDoS'ed yourself though.


As far as filtering queries for specific domains I think the only Microsoft OS that will do that is Server 2016 with the new DNS query policy. The only major update to DNS I see, is the response rate limiting that bind has had for years.


Route 53 Resolver DNS Firewall is a managed firewall that you can use to block DNS queries that are made for known malicious domains and to allow queries for trusted domains. It provides more granular control over the DNS querying behavior of resources within your VPCs.


Refer to the DNS Firewall documentation to familiarize yourself with its constructs and understand how it works. The automation example we provide in this blog post is focused on providing blocks or alerts for DNS queries with suspicious domain names. For example, consider the scenario where an Amazon Elastic Compute Cloud (Amazon EC2) instance queries a domain name that is associated with a known command-and-control server. As shown in Figure 1, when GuardDuty detects communication with the malicious domain, it initiates a series of steps. First, AWS Step Functions orchestrates the remediation response through a defined workflow, then DNS Firewall adds the suspicious domain to deny list or alert list, and finally GuardDuty notifies the security operators of the attempted communication.


This solution uses Step Functions and AWS Lambda so that incident response steps run in the correct order. Step Functions also provides retry and error-handling logic. Lambda functions interact with networking services to block traffic, and with databases to store data about blocked domain lists and AWS Security Hub finding Amazon Resource Names (ARNs).


For this next step, make sure that you deploy the template within the AWS account and the AWS Region where you want to monitor GuardDuty findings and block suspicious DNS activity. Depending on your architecture, you can deploy the solution one time centrally in a security account or deploy it repeatedly across multiple accounts.


As part of the CloudFormation template deployment, two test VPCs have been created for you, to demonstrate that you can assign a single DNS Firewall rule group to multiple VPCs. You can also associate this rule group to your existing VPC of interest. To learn how to do this task, see Managing associations between your VPC and Route 53 Resolver DNS Firewall rule group. For visibility into DNS queries and for debugging purposes, the template creates log groups that accumulate DNS Resolver query logs.


These samples are supplied for your convenience, and you will see the blocking action in a matter of minutes. Alternatively, you can use other ways to test, which might need about an hour for blocking action to happen. To initiate DNS C&C activity, you can make a DNS request from your instance (using dig for Linux or nslookup for Windows) against the test domain guarddutyc2activityb.com. Alternatively, you can use GuardDuty Tester, which generates DNS C&C activity and DNS exfiltration unauthorized events.


In this blog post, you learned how to automatically block malicious domains by using Route 53 Resolver DNS Firewall and GuardDuty. You can use this sample solution to automatically block communication to suspicious hosts discovered by GuardDuty, and you can apply those blocks across all configured DNS Firewall firewalls within your account. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Коментарі


bottom of page