BLACKLIST DNS rules question

  • I'm a Snort noob and I'm doing something wrong.

    I'm running Snort on my WAN interfaces (no NAT, they each have a private IP behind another router that does NAT for my home) and was just testing if Snort would block properly.

    So I picked an easy test from the Snort Ruleset, just issue


    from within my LAN. Snort recognizes this as
    "BLACKLIST DNS request for known malware domain"
    and on the blocklist amongst others there are: ( and (

    This poses a little problem for Unbound.
    Plus Unbound already cached that lookup and it still works.
    As there are quite a few of those BLACKLIST DNS rules in the Balanced IPS Policy, it's a little hard to disable them all by hand.
    How are you guys dealing with this? Am I "holding it wrong"? ;)

  • Banned

    Well if you do not want to disable those rules, you can create a custom passlist and add all root DNS servers there.

  • @doktornotor: Thanks!
    But I guess I might have to find a way to mass-disable all those rules. Or I have to refrain from using the IPS policies altogether and build my own ruleset.
    Because the root DNS servers are only amongst the blocked DNS servers, as Unbound walks the chain down to the actual server responsible and everything in that path gets blocked…

  • Banned

    Well, the way to mass-disable rules is called SIG Mgmt.

Log in to reply