As DNS over TLS popularity is increasing, port 853 becomes more interesting for an attacker as a bypass method. Enabling this port for DNS monitoring makes sense in order to avoid unusual activity (non-DNS traffic) as well as "normal" DNS attacks.
Partially fixes #11808
Signed-off-by: Peter Müller peter.mueller@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org --- config/suricata/suricata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index d7302788c..67b9e8a7d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -208,11 +208,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" udp: enabled: yes detection-ports: - dp: 53 + dp: "[53,853]" http: enabled: yes # memcap: 64mb