Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 3 subscribers
  • Views 15037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wildcard domain in packet filter?

TXMRS
Is there a way to specify a wildcard when defining networks by domain name?

I am trying to setup a packet filter rule to block all traffic to/from all hosts in a particular domain.  I've tried using the "DNS group" option but it does not seem to accept wildcards.

For example, I want to block all traffic from *.baddomain.com

I've created a DNS group entry for "baddomain.com" (without the quotes), and it will resolve one IP address, but it does not appear to resolve any of the subdomains.  If I enter "*.baddomain.com" it says it's unresolved.

I'm only using packet filter rules; no proxies.

The contextual help does not specify, and I've had no luck searching the forums, so if this is answered elsewhere, I apologize!

We're running 7.502.

Thanks!


This thread was automatically locked due to age.
Parents
  • 0
    I don't know how that could be done.  I don't think name servers have an option for a query like, "Send me all of the IPs of all FQDNs you have related to this domain."  For example, if you look up the DNS records for ntp.org, you won't see pool.ntp.org listed.

    Cheers - Bob
  • 0 in reply to BAlfson
    Bob,

    Yes, I agree that DNS doesn't work that way.  However, it would be nice if the packet filter, when presented with abc.baddomain.com, and *.baddomain.com was blacklisted, would just drop the packet.  The first time it hit there would be a small delay for the reverse lookup, but after that it could just keep the IP associated with the FQDN.

    Thanks!
Reply
  • 0 in reply to BAlfson
    Bob,

    Yes, I agree that DNS doesn't work that way.  However, it would be nice if the packet filter, when presented with abc.baddomain.com, and *.baddomain.com was blacklisted, would just drop the packet.  The first time it hit there would be a small delay for the reverse lookup, but after that it could just keep the IP associated with the FQDN.

    Thanks!
Children
No Data