What is the best solution or product to protect from all types of DNS Tunneling attacks?

2.1k views10 Upvotes5 Comments

Information Security Manager in Finance (non-banking), 1,001 - 5,000 employees
Best solution: do not let your internal systems query the Internet directly (i.e. do not forward external DNS queries  to the Internet) and only allow internal systems to contact Internet systems via a proxy system (i.e. defining a explicit HTTP/SOCKS proxy). Endpoint systems that might be remove would then be always on VPN that use the internal resources.

If you do have to let internal systems that query external DNS on the Internet and/or if you have many remote users outside your network you cannot easily control, use a maybe an alternative  use  SASE (such as Zscaler) or if you want to tackle only the DNS problem, consider Infoblox products (e.g. BloxOne Threat Defense, or their DNS firewall). Inflobox will try to block malicious queries in different points based on DNS behaviour + Threat Intelligence information.
Sr Network Administrator in Education, 5,001 - 10,000 employees
Fortigate firewall
4 1 Reply
Jr Systems Engineer in Education, 5,001 - 10,000 employees

Splunk can be utilized to mitigate these kind of attacks.

Network and Security Architect team lead in Finance (non-banking), 10,001+ employees
Cisco Umbrella can protect DNS Tunnel attacks with simple configuration.
Cyber security analyst in Energy and Utilities, 5,001 - 10,000 employees
We can use different approaches that can be effective in protecting against DNS tunneling attacks. One option is to use a network firewall that has the capability to detect and block DNS tunneling traffic. This can be done by setting up rules that block or limit the amount of DNS traffic that is allowed to pass through the firewall. Additionally, you can use a DNS firewall or a DNS security solution, which is specifically designed to detect and block DNS tunneling traffic.

Network Firewalls:

-Palo Alto Networks Next-Generation Firewall
-Fortinet FortiGate Firewall
-Check Point Next-Generation Firewall
-Cisco Firepower Next-Generation Firewall
-Sophos XG Firewall

There are free ones we can try as well. like pfSense, Untangle, ClearOS, VyOS

DNS Security :

-Infoblox DDI
-EfficientIP SOLIDserver DDI
-Men&Mice DDI
-BlueCat DNS Integrity

Content you might like

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.53%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.12%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).3%


9.7k views9 Upvotes1 Comment

Yes – very optimistic!31%

Yes – mildly optimistic.56%


I’m not sure5%


3.5k views1 Upvote

IT Manager in Manufacturing, 10,001+ employees
Wide administrative rights can cause remote hacking of IT tools by reaching the IAM or business processes.
Read More Comments
3.7k views34 Upvotes4 Comments