[Dnsmasq-discuss] blocking txt-record

Jim Alles kb3tbx at gmail.com
Mon Mar 6 21:28:25 GMT 2017


OK, so a network with no mail servers (residential/SMB relying on
WebMail) it may not be an issue.
Is blocking TXT queries possible?

I found this:
"Once the initial DNS response is received by the malware, it then
iterates to the next subdomain which is 'mail'. The malware uses this
domain in another DNS TXT record query to attempt to retrieve the
Stage 4 payload associated with this infection process. The response
to this DNS request results in the transmission of the fourth stage
malware, stored within the TXT record as displayed in Figures 10 and
11. Due to the size of the Stage 4 payload, DNS makes use of TCP for
this transaction. "

here: http://blog.talosintelligence.com/2017/03/dnsmessenger.html

I have previously blocked TCP port 53 at my firewall (Untangle NGFW),
and have not observed an ill effect.

OpenDNS (Cisco Umbrella) also has the target domains blocked at this
time. My dnsmasq instance is pointed there for filtering my home
Internet.

This threat appears to be extinguished pretty well, anyway.

regards,
Jim A.

On Mon, Mar 6, 2017 at 3:47 PM, Kurt H Maier <khm at sciops.net> wrote:
> On Mon, Mar 06, 2017 at 03:21:53PM -0500, Jim Alles wrote:
>>
>> Can  / should dnsmasq be used to block DNS TXT record retrieval?
>
> Blocking TXT queries wholesale will stop many SPF records from getting
> through, which can interfere with email delivery.
>
>



More information about the Dnsmasq-discuss mailing list