BLACKLIST DNS rules question
I'm a Snort noob and I'm doing something wrong.
I'm running Snort on my WAN interfaces (no NAT, they each have a private IP behind another router that does NAT for my home) and was just testing if Snort would block properly.
So I picked an easy test from the Snort Ruleset, just issue
from within my LAN. Snort recognizes this as
"BLACKLIST DNS request for known malware domain secuurity.net"
and on the blocklist amongst others there are:
126.96.36.199 (k.gtld-servers.net.) and 188.8.131.52 (a.gtld-servers.net)
This poses a little problem for Unbound.
Plus Unbound already cached that lookup and it still works.
As there are quite a few of those BLACKLIST DNS rules in the Balanced IPS Policy, it's a little hard to disable them all by hand.
How are you guys dealing with this? Am I "holding it wrong"? ;)
Well if you do not want to disable those rules, you can create a custom passlist and add all root DNS servers there.
But I guess I might have to find a way to mass-disable all those rules. Or I have to refrain from using the IPS policies altogether and build my own ruleset.
Because the root DNS servers are only amongst the blocked DNS servers, as Unbound walks the chain down to the actual server responsible and everything in that path gets blocked…
Well, the way to mass-disable rules is called SIG Mgmt.