Hello André,
Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode
[1]. You can then use a SuffixMatchNodeRule [2] in a rule. For example:
evilDomains = newSuffixMatchNode()
evilDomains:add("evildomain.com")
addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))
Now any requests that query a QNAME that ends in "evildomain.com" will be
sent to the "abuse" pool, or any other action [3] you want.
And if you connect to the CLI via a client connection (dnsdist -c), you can
still manage the SuffixMatchNode, for example:
evilDomains:remove("evildomain.com")
evilDomains:add("otherdomain.com")
tostring(evilDomains:check(newDNSName("evildomain.com")))
With kind regards,
Michel Otte
[1]: https://dnsdist.org/reference/config.html#suffixmatchnode
[2]: https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule
[3]: https://dnsdist.org/reference/actions.html
Hello everyone,
>
> A tactic to thwart DNS sinkholes is not to have an A record in the domain
> name and then offer hundreds or more subdomains that can be reached via
> UDP, and if firewall blocked, via TCP. At least, it’s what I’m facing.
>
> It’s laborious work to identify each subdomain, add firewall rules, host
> entries etc to then discover its resilience on trying different variations
> on subdomains hinting at a wildcard setup where any is valid.
>
> I wanted to enquire about the possibility of a wildcard sinkhole to spoof
> the main domain and all of the subdomains to tackle such scenarios as I’ve
> didn’t get it to work
>
> Best regards
> André Ferreira
> _______________________________________________
> dnsdist mailing list
> dnsdist@mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
