[dnsdist] Missing A records and spoofing

Michel Otte michel at cybox.nl
Thu Jul 25 07:01:11 UTC 2024 

Hello André,

Then maybe share your complete configuration, or at least the output from
showRules(). I'm stating the obvious here, but maybe the rule order is
incorrect, causing a different rule to match before the rule you've added
now.

With kind regards,
Michel Otte


Thank you kindly for the reply Michel.
>
> I've tried something like it before with no luck, however the command line
> arguments you offered at least moved me a step forward, as it confirms the
> setup.
> However, the offending subdomains still resolve, example:
>
> # dnsdist -c
> > tostring(evilDomains:check(newDNSName("1e100.net")))
> true
> > quit
> # nslookup
> > server 192.168.1.2
> Default server: 192.168.1.2
> Address: 192.168.1.2#53
> > mad07s25-in-f3.1e100.net
> Server: 192.168.1.2
> Address: 192.168.1.2#53
>
> Non-authoritative answer:
> Name: mad07s25-in-f3.1e100.net
> Address: 142.250.201.67
> Name: mad07s25-in-f3.1e100.net
> Address: 2a00:1450:4003:811::3
>
> And the lines in /etc/dnsdist/dnsdist.conf are:
>
> evilDomains = newSuffixMatchNode()
> evilDomains:add("1e100.net")
> addAction(SuffixMatchNodeRule(evilDomains), SpoofAction("0.0.0.0"))
>
> I tried with PoolAction but it also didn't work.
> Restarted the server and even rebooted for an update.
>
> Any ideas?
>
>
>
>
> On Wed, Jul 24, 2024 at 08:48, Michel Otte <michel at cybox.nl
> <On+Wed,+Jul+24,+2024+at+08:48,+Michel+Otte+%3C%3Ca+href=>> wrote:
>
> Hello André,
>
> Blocking a complete suffix in dnsdist can be done with a SuffixMatchNode
> [1]. You can then use a SuffixMatchNodeRule [2] in a rule. For example:
>
> evilDomains = newSuffixMatchNode()
> evilDomains:add("evildomain.com")
> addAction(SuffixMatchNodeRule(evilDomains), PoolAction("abuse"))
>
> Now any requests that query a QNAME that ends in "evildomain.com" will be
> sent to the "abuse" pool, or any other action [3] you want.
>
> And if you connect to the CLI via a client connection (dnsdist -c), you
> can still manage the SuffixMatchNode, for example:
>
> evilDomains:remove("evildomain.com")
> evilDomains:add("otherdomain.com")
> tostring(evilDomains:check(newDNSName("evildomain.com")))
>
> With kind regards,
> Michel Otte
>
> [1]: https://dnsdist.org/reference/config.html#suffixmatchnode
> [2]: https://dnsdist.org/reference/selectors.html#SuffixMatchNodeRule
> [3]: https://dnsdist.org/reference/actions.html
>
>
> Hello everyone,
>>
>> A tactic to thwart DNS sinkholes is not to have an A record in the domain
>> name and then offer hundreds or more subdomains that can be reached via
>> UDP, and if firewall blocked, via TCP. At least, it’s what I’m facing.
>>
>> It’s laborious work to identify each subdomain, add firewall rules, host
>> entries etc to then discover its resilience on trying different variations
>> on subdomains hinting at a wildcard setup where any is valid.
>>
>> I wanted to enquire about the possibility of a wildcard sinkhole to spoof
>> the main domain and all of the subdomains to tackle such scenarios as I’ve
>> didn’t get it to work
>>
>> Best regards
>> André Ferreira
>> _______________________________________________
>> dnsdist mailing list
>> dnsdist at mailman.powerdns.com
>> https://mailman.powerdns.com/mailman/listinfo/dnsdist
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240725/dc53953a/attachment-0001.htm>

More information about the dnsdist mailing list