Firewall – How to deny all the communications between our server and particular domain and its subdomains

firewall

Let's say we don't want our server (any program running on it) to talk to example.com (any IP address that this DNS name can happen to be resolved into) and anything like *.example.com etc. Both inbound requests coming from those domains and outbound requests made by programs running on our server trying to reach the forbidden domains are to be blocked. What is the right way to set this up?

Best Answer

First of all - rethink it, it will bring you more problems that successes.

You cannot use DNS in firewall, resp. you cannot use DNS to check "Is this IP belongs to domain?" from many reasons, biggest is non consistent recursive DNS. You can has only one PTR record for IP and this records are managed with IP owner. Not so many domains are really owners of their IPs - they just use some service provider like shared hosting, cloud provider and so on - so if you will try to resolve IP to domain, you will get those provider, not domain.

In example serverfault.com has IP 104.16.46.232. But when you will trying to detect if this IP belongs to serverfault.com, you will fail, because this IP belongs to CloudFlare.net and there is no connection between CloudFlare.net and serverfault.com.

If your "not wanted" domain has their own IP subnet, you can use whois tool to detect their assigned subnet and block that subnet. In case upper, you can block whole CloudFlare, but you will block everyone who is using CloudFlare, what is not what you want.

Next way is hacking DNS and steal zone files for that domain (use AXFR and try to inicialize zone transfer - see this question on SuperUser). Some DNS servers will send whole zone file to anyone who will ask, but most of them will send it just to allowed servers. If you will get that file, you can parse it and detect used IPs. But again - if this is some CDN or shared hosting, you will block anything on that server.

Related Topic