WireGuard with DNS Tunneling Detection — The Hard Way
Categories:
[security],
[networking]
Tags:
[wireguard],
[squid],
[dns],
[detection],
[linux]
So you’ve got a bunch of machines connected over WireGuard. Clean. Fast. Encrypted.
But how do you know if one of them is being abused to sneak out data via DNS tunneling?
Let’s go old-school and detect it ourselves — no fancy appliances. Just logs, analysis, and a sharp eye.
Step 1: Force DNS resolution through Squid
On your Debian (for instance) proxy box:
acl dns_ports port 53
http_access deny CONNECT !dns_portsThen add this line to enforce hostname resolution logging:
logformat squid_dns %ts.%03tu %>a %>rm %ru %>Hs %<st %dn
Now your access logs will include domain lookups.
Step 2: Parse and index logs
Ship the logs to Elastic via Filebeat:
filebeat.inputs:
- type: log
paths:
- /var/log/squid/access.log
fields:
log_type: squid_dns
output.logstash:
hosts: ["logstash.local:5044"]And on Logstash:
filter {
if [fields][log_type] == "squid_dns" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{IP:src_ip} %{WORD:method} %{DATA:url} %{NUMBER:status} %{NUMBER:bytes} %{DATA:domain}" }
}
mutate {
add_tag => [ "dns_monitoring" ]
}
}
}Step 3: Watch for tunneling patterns
Once parsed, build an Elastic query for:
- High-frequency DNS requests from a single host
- TXT record lookups
- Long, encoded subdomains (regex match for base64 or hex)
- Consistent request patterns (e.g., every 3 seconds)
Example query:
{
"query": {
"bool": {
"must": [
{ "match": { "method": "CONNECT" }},
{ "regexp": { "domain": ".*[A-Za-z0-9+/]{40,}.*" }}
],
"filter": [
{ "range": { "@timestamp": { "gte": "now-15m" }}}
]
}
}
}Want to get clever? Use aggregate to group by host and domain entropy score.
Final tip: This is not enterprise-grade DNS firewalling. But it’s your network. And you’d be surprised what you can detect with just logs and some grep-style elbow grease.