Is it possible to block a top level domain via a firewall rule?
This thread was automatically locked due to age.
Not, possible, Tom. Name servers have no idea of what to do with anything other than an FQDN. Do you have some new student that's found a way around Web Filtering?
Cheers - Bob
Not, possible, Tom. Name servers have no idea of what to do with anything other than an FQDN. Do you have some new student that's found a way around Web Filtering?
Cheers - Bob
Unfortunately, it's a constant battle with new sites popping up every minute. They seem to favor the .ru top level domain. I tried using country blocking, which seemed to help some, but some of the sites are registered with US IP addresses. It's always fine line between security and usability.
How to Block Access to a Complete TLD
Tom, I just though of a way to block access to anything with a TLD of ru. [6]
On the 'Request Route' tab in 'Network Services >> DNS', create one for ru that points at a non-existant IP. Once that's active, any attempt to get name resolution for an ru FQDN will hang for ten seconds and then report "unknown host" to the requesting application. Note that this requires the UTM to be the first forwarder for your internal name server(s) and the second for devices getting DHCP from you. You will want to use DNS Best Practice, and you might want to drop all outbound DNS requests.
Cheers - Bob
NOTE 2016-11-02: See my post below where I pass on a better idea from Sophos' Greg Hammond.
Tom, look at the link I provided. It suggests that the UTM be the first forwarder for your internal DNS server and the second assigned to clients after your internal DNS server.
Cheers - Bob
Greg Hammond of the Sophos Escalation Team gave me a better suggestion when I submitted my idea for a KnowledgeBase article.
Several years ago, it became possible to associate a DNS name with a Static Host definition. Here's my take on Greg's suggestion. You'll also want to follow DNS Best Practice.
Cheers - Bob
I had to re-arrange my DNS configuration. We had all internal clients and UTM pointing to internal DNS (AD) servers and the internal DNS servers forwarded out to our ISP. We already block DNS traffic by all clients except internal DNS through the firewall. I added the internal DNS servers to allowed networks in the utm and then added it as the first DNS forwarder. I then added the ISP DNS servers as forwarders on the UTM. It seems to be working. After adding the network DNS definition any requests to an .RU domain just come back as page cannot be displayed. Will keep on eye on it to make sure, but it seems to work.