<div dir="ltr"><div dir="ltr"><div>Hello André,</div><div><br></div><div>Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode [1]. You can then use a SuffixMatchNodeRule [2] in a rule. For example:</div><div><br></div><div>evilDomains = newSuffixMatchNode()</div><div>evilDomains:add("<a href="http://evildomain.com">evildomain.com</a>")</div><div>addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))</div><div><br></div><div>Now any requests that query a QNAME that ends in "<a href="http://evildomain.com">evildomain.com</a>" will be sent to the "abuse" pool, or any other action [3] you want.</div><div><br></div><div>And if you connect to the CLI via a client connection (dnsdist -c), you can still manage the SuffixMatchNode, for example:</div><div><br></div><div>evilDomains:remove("<a href="http://evildomain.com">evildomain.com</a>")</div><div>evilDomains:add("<a href="http://otherdomain.com">otherdomain.com</a>")</div><div>tostring(evilDomains:check(newDNSName("<a href="http://evildomain.com">evildomain.com</a>")))</div><div></div><div><br></div><div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><font color="#000000" style="font-size:12.8px"><span style="font-size:12.8px">With kind regards,</span><br style="font-size:12.8px"><span style="font-size:12.8px">Michel Otte</span></font><br style="font-size:12.8px;color:rgb(136,136,136)"></div><div dir="ltr"><br></div><div dir="ltr">[1]: <a href="https://dnsdist.org/reference/config.html#suffixmatchnode">https://dnsdist.org/reference/config.html#suffixmatchnode</a></div></div></div>[2]: <a href="https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule">https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule</a></div><div>[3]: <a href="https://dnsdist.org/reference/actions.html">https://dnsdist.org/reference/actions.html</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div> <div dir="auto">Hello everyone,</div><div dir="auto"><br></div><div dir="auto">A tactic to thwart DNS sinkholes is not to have an A record in the domain name and then offer hundreds or more subdomains that can be reached via UDP, and if firewall blocked, via TCP. At least, it’s what I’m facing.</div><div dir="auto"><br></div><div dir="auto">It’s laborious work to identify each subdomain, add firewall rules, host entries etc to then discover its resilience on trying different variations on subdomains hinting at a wildcard setup where any is valid.</div><div dir="auto"><br></div><div dir="auto">I wanted to enquire about the possibility of a wildcard sinkhole to spoof the main domain and all of the subdomains to tackle such scenarios as I’ve didn’t get it to work</div><div dir="auto"><br></div><div dir="auto">Best regards </div><div dir="auto">André Ferreira</div></div>_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div></div>