Detecting DNS lookup and follow on connections

Hey forum,

I would like to be able to detect a DNS response for a given domain and then alert on any follow on connections made to the resolving IP.

Is there a better way than putting the resolving ip into a dataset and then checking ipv4.hdr (as described in Suricata and IP blacklist - #55 by ManuelFFF)? This seems like it would perform poorly.

Ideally I’d like some way to add IP addresses to a list dynamically, with the performance of iprep and the flexibility of dataset.


Your main issue here might be that there is no buffer for the dns answer according to the docs.
The easiest way for now might just be to create your own script processing the suricata logs and updating an iprep list with the relevant dns replies for A/AAAA queries.

That is true. I hadn’t considered the DNS portion of the issue.

Discounting the issue of extracting the IP from the DNS reply, I presume there is no current way to dynamically add this to an iprep list?

Not from within the rule language as far as I am aware.