Thank you kindly for the reply Michel.
I've tried something like it before with no luck, however the command line
arguments you offered at least moved me a step forward, as it confirms the
setup.
However, the offending subdomains still resolve, example:
# dnsdist -c
> tostring(evilDomains:check(newDNSName("1e100.net")))
true
> quit
# nslookup
> server 192.168.1.2
Default server: 192.168.1.2
Address: 192.168.1.2#53
>mad07s25-in-f3.1e100.net
Server: 192.168.1.2
Address: 192.168.1.2#53
Non-authoritative answer:
Name:mad07s25-in-f3.1e100.net
Address: 142.250.201.67
Name:mad07s25-in-f3.1e100.net
Address: 2a00:1450:4003:811::3
And the lines in /etc/dnsdist/dnsdist.conf are:
evilDomains = newSuffixMatchNode()
evilDomains:add("1e100.net")
addAction(SuffixMatchNodeRule(evilDomains), SpoofAction("0.0.0.0"))
I tried with PoolAction but it also didn't work.
Restarted the server and even rebooted for an update.
Any ideas?
On Wed, Jul 24, 2024 at 08:48, Michel Otte <[mic...@cybox.nl](mailto:On Wed,
Jul 24, 2024 at 08:48, Michel Otte <<a href=)> wrote:
> Hello André,
>
> Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode [1].
> You can then use a SuffixMatchNodeRule [2] in a rule. For example:
>
> evilDomains = newSuffixMatchNode()
> evilDomains:add("evildomain.com")
> addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))
>
> Now any requests that query a QNAME that ends in "evildomain.com" will be
> sent to the "abuse" pool, or any other action [3] you want.
>
> And if you connect to the CLI via a client connection (dnsdist -c), you can
> still manage the SuffixMatchNode, for example:
>
> evilDomains:remove("evildomain.com")
> evilDomains:add("otherdomain.com")
> tostring(evilDomains:check(newDNSName("evildomain.com")))
>
> With kind regards,
> Michel Otte
>
> [1]: https://dnsdist.org/reference/config.html#suffixmatchnode
> [2]: https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule
> [3]: https://dnsdist.org/reference/actions.html
>
>> Hello everyone,
>>
>> A tactic to thwart DNS sinkholes is not to have an A record in the domain
>> name and then offer hundreds or more subdomains that can be reached via UDP,
>> and if firewall blocked, via TCP. At least, it’s what I’m facing.
>>
>> It’s laborious work to identify each subdomain, add firewall rules, host
>> entries etc to then discover its resilience on trying different variations
>> on subdomains hinting at a wildcard setup where any is valid.
>>
>> I wanted to enquire about the possibility of a wildcard sinkhole to spoof
>> the main domain and all of the subdomains to tackle such scenarios as I’ve
>> didn’t get it to work
>>
>> Best regards
>> André Ferreira
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist@mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
