INDICATOR-COMPROMISE Suspicious .tk dns query

Question

So I am getting emails about some bad DNS queries: 
 "INDICATOR-COMPROMISE Suspicious .tk dns query" 
 I have looked in to this, and for the most part, these are "legit" drops, but not ALL are... 
 Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops. 
 How can I "whitelist" MY .tk domain, while still blocking the others?

BAlfson · Accepted Answer

That should do what you want. 
 Here's a nifty trick that others can use to block all DNS inquiries to the .tk TLD: Block a TLD 
 Cheers - Bob

BAlfson · Answer

Hi, Gino, and welcome to the UTM Community! 
 Thanks for the vote of confidence! 
 Just follow the link in my post above to which you replied. That effectively blocks the entire domain. The IP in the Network definition is a dummy one, so no lookups can be made for the top level domain. Just replace "ru" with "tk" in the definition. If you also want to block ru, then just add tk to 'Additional Hostnames'. 
 Cheers - Bob

INDICATOR-COMPROMISE Suspicious .tk dns query

Top Replies

Submitted a Tech Support Case lately from the Support Portal?