Hi nieznajomy,

A short post on how you could reject left over DNS records still pointing to a specific IP address, IP address that you control.

I’ve been in that situation and it bogged me to see connections attempts using out of my control DNS records effectively pointing to infrastructure under my control. In fact, despite having communicated with the domain owner (unidirectional communication for now), the record(s) are still present today.

What can one do? Well, there are several possibilities. At first, I simply denied such requests at a WAF layer, although I wasn’t 100% happy with that solution.

Why may you ask? And reasonably so… Well, anyone that may initiate connectivity to dangling DNS records never had the initial intention to reach your own domain. WAF’ing a deny message on such attempts may reveal your own entity (SSL/TLS certificate thrown out etc) which IMPOV is unnecessary.

So I searched for a closer to initial traffic way of slaughtering this out as soon as possible. And a potential answer comes from the Suricata Network IDS and the tls.sni keyword.

Here is the simple Suricata rule I’ve crafted and set in as “DROP” within my ruleset:

# This rule drops all request sent/received toward *.<domain>.<suffix> -- edit to match SNI and remove any "<" and ">"
reject tls any any -> any any (tls.sni; content: "<domain>.<suffix>"; nocase; endswith; pcre:"/w.*\.<domain>\.<suffix>$/"; msg:"Match on *.<domain>.<suffix> SNI wildcards"; sid:70; rev:1;)

Of course, you’d need to edit and adapt any occurrences of <domain.suffix> to suite your own needs. However, once that IPS rule is in place, any inbound/outbound requests toward the matched domain.suffix would silently been dropped at your perimeter.

Although, another possible angle of exit would imply to here; take the given control and accept the traffic.

Indeed, one could successfully request a Let’s Encrypt certificate for any FQDN’s pointing to entities under your own TCP/IP control. Which is our case here… Thereafter, why not host a static website expressing your thoughts about the situation?

That may well be a quicker way at getting DNS records cleaned-up by the respective domain owner while involving solely the dangling DNS stacked domain.

Hope this helps,
So longue,
Obruno