Inbound Wildcard DNS block

iBROX · April 22, 2024, 08:21:22 AM

Hi,

Is there anyway to block say *.abc.com (obviously being a wildcard) it will block all hostnames under it ?

I've looked everywhere and can't seem to find an easy solution, is there a way within Opnsense or perhaps using Sensei or some other plug in?

bartjsmit · April 22, 2024, 04:34:07 PM

create an entry in your DNS server for abc.com. to 127.0.0.1

iBROX · April 23, 2024, 03:22:46 AM

That will block it for clients within the LAN wanting to get to the WAN (Internet), what about from the WAN (Internet) into your LAN ? Ie: a floating rule to block a wildcard for anything ending in *.abc.com

hopefully that makes sense.

bartjsmit · April 23, 2024, 07:54:15 AM

If you distrust an inbound connection enough to block it, then why trust it not to spoof its name and/or IP address?

Content distribution networks, cloud services, CGNAT, proxies and what have you will obscure the source of external traffic and are out of your control.

If you want to increase the security, use a login to your service. If your logins are getting swamped from a certain corner of the internet, add a second factor (e.g. client cert for a web server).

Bart...

Inbound Wildcard DNS block

iBROX

April 22, 2024, 08:21:22 AM

bartjsmit

April 22, 2024, 04:34:07 PM #1

iBROX

April 23, 2024, 03:22:46 AM #2

bartjsmit

April 23, 2024, 07:54:15 AM #3