3

The network is relatively straightforward: on the inside there is Active Directory, in the DMZ is a BIND9 DNS forwarder. The Active Directory domain controller is the internal DNS server for all Windows clients and all machines must use the DNS forwarder to perform DNS queries.

I am trying to prevent my clients from performing certain types of lookup, for example, TXT records. This is because of a security concern, specifically, DNS tunneling (see a tool called iodine for further information).

I was expecting to find an easy option in BIND9 for disabling certain types of record lookup, but I can't find anything applicable. Does anybody know of something that will do the trick? Either in BIND's config or something else?

Tommiie
  • 5,627
  • 2
  • 12
  • 46
Joe Dohn
  • 31
  • 1
  • 1
    Maybe you can configure that in what in Bind jargon is called a DNS Response Policy Zone?? – HBruijn Apr 24 '17 at 14:33
  • @HBruijn thanks for the idea, I can't find anything that relates to DNS types, only addresses. Hopefully I am wrong... – Joe Dohn Apr 24 '17 at 15:11
  • Blocking all TXT records might create other problems, e.g. with mail servers putting SPF data in there. Once TXT records are blocked, they will start building tunnels over HTTP, or DNS A records, or ... – Tommiie Oct 10 '18 at 11:26

0 Answers0