Forum Discussion
Teamsecurity_25
Mar 01, 2016Nimbostratus
when RULE_INIT {
Set IPV4 address that is returned for Blacklist matches for A records
set static::blacklist_reply_IPV4 "10.10.10.10"
Set TTL used for all Blacklist replies
set static::blacklist_ttl "100"
}
when DNS_REQUEST {
set Blacklist_Match 0
set Blacklist_Type ""
set domain_name [DNS::question name]
if {[DNS::header "rd"] == 1 }
{ if { not [class match [IP::client_addr] eq "admin_datagroup" ] } {
DNS::drop
} elseif { [string tolower [class match $domain_name eq Blacklist_Class]] } {
set Blacklist_Match 1 log local0. "request allowed from $domain_name"
DNS::return
}
}
when DNS_RESPONSE {
if { $Blacklist_Match }
{ switch [DNS::question type]
{ "A" { DNS::answer clear DNS::answer insert "[DNS::question name]. $static::blacklist_ttl [DNS::question class] [DNS::question type] $static::blacklist_reply_IPV4"
DNS::header ra "1"
}
default { DNS::last_act reject } }
}
}