[dnsdist] Missing A records and spoofing

Michel Otte michel at cybox.nl
Wed Jul 24 06:48:04 UTC 2024


Hello André,

Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode
[1]. You can then use a SuffixMatchNodeRule [2] in a rule. For example:

evilDomains = newSuffixMatchNode()
evilDomains:add("evildomain.com")
addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))

Now any requests that query a QNAME that ends in "evildomain.com" will be
sent to the "abuse" pool, or any other action [3] you want.

And if you connect to the CLI via a client connection (dnsdist -c), you can
still manage the SuffixMatchNode, for example:

evilDomains:remove("evildomain.com")
evilDomains:add("otherdomain.com")
tostring(evilDomains:check(newDNSName("evildomain.com")))

With kind regards,
Michel Otte

[1]: https://dnsdist.org/reference/config.html#suffixmatchnode
[2]: https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule
[3]: https://dnsdist.org/reference/actions.html


Hello everyone,
>
> A tactic to thwart DNS sinkholes is not to have an A record in the domain
> name and then offer hundreds or more subdomains that can be reached via
> UDP, and if firewall blocked, via TCP. At least, it’s what I’m facing.
>
> It’s laborious work to identify each subdomain, add firewall rules, host
> entries etc to then discover its resilience on trying different variations
> on subdomains hinting at a wildcard setup where any is valid.
>
> I wanted to enquire about the possibility of a wildcard sinkhole to spoof
> the main domain and all of the subdomains to tackle such scenarios as I’ve
> didn’t get it to work
>
> Best regards
> André Ferreira
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240724/eab8bc37/attachment.htm>


More information about the dnsdist mailing list