[dnsdist] Missing A records and spoofing

André Ferreira mestreandreferreira at proton.me
Wed Jul 24 15:35:44 UTC 2024 

Thank you kindly for the reply Michel.

I've tried something like it before with no luck, however the command line arguments you offered at least moved me a step forward, as it confirms the setup.
However, the offending subdomains still resolve, example:

# dnsdist -c
> tostring(evilDomains:check(newDNSName("1e100.net")))
true
> quit
# nslookup
> server 192.168.1.2
Default server: 192.168.1.2
Address: 192.168.1.2#53
>mad07s25-in-f3.1e100.net
Server: 192.168.1.2
Address: 192.168.1.2#53

Non-authoritative answer:
Name:mad07s25-in-f3.1e100.net
Address: 142.250.201.67
Name:mad07s25-in-f3.1e100.net
Address: 2a00:1450:4003:811::3

And the lines in /etc/dnsdist/dnsdist.conf are:

evilDomains = newSuffixMatchNode()
evilDomains:add("1e100.net")
addAction(SuffixMatchNodeRule(evilDomains), SpoofAction("0.0.0.0"))

I tried with PoolAction but it also didn't work.
Restarted the server and even rebooted for an update.

Any ideas?

On Wed, Jul 24, 2024 at 08:48, Michel Otte <[michel at cybox.nl](mailto:On Wed, Jul 24, 2024 at 08:48, Michel Otte <<a href=)> wrote:

> Hello André,
>
> Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode [1]. You can then use a SuffixMatchNodeRule [2] in a rule. For example:
>
> evilDomains = newSuffixMatchNode()
> evilDomains:add("evildomain.com")
> addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))
>
> Now any requests that query a QNAME that ends in "evildomain.com" will be sent to the "abuse" pool, or any other action [3] you want.
>
> And if you connect to the CLI via a client connection (dnsdist -c), you can still manage the SuffixMatchNode, for example:
>
> evilDomains:remove("evildomain.com")
> evilDomains:add("otherdomain.com")
> tostring(evilDomains:check(newDNSName("evildomain.com")))
>
> With kind regards,
> Michel Otte
>
> [1]: https://dnsdist.org/reference/config.html#suffixmatchnode
> [2]: https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule
> [3]: https://dnsdist.org/reference/actions.html
>
>> Hello everyone,
>>
>> A tactic to thwart DNS sinkholes is not to have an A record in the domain name and then offer hundreds or more subdomains that can be reached via UDP, and if firewall blocked, via TCP. At least, it’s what I’m facing.
>>
>> It’s laborious work to identify each subdomain, add firewall rules, host entries etc to then discover its resilience on trying different variations on subdomains hinting at a wildcard setup where any is valid.
>>
>> I wanted to enquire about the possibility of a wildcard sinkhole to spoof the main domain and all of the subdomains to tackle such scenarios as I’ve didn’t get it to work
>>
>> Best regards
>> André Ferreira
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240724/7d99947d/attachment.htm>

More information about the dnsdist mailing list