0

I'm working on a team for an enterprise network security product and we're implementing white/blacklisting as part of the program. We have lists that were taken from a third-party source but nobody remembers the specifications for how these lists were made/compiled. The list contains entries that are whole domains, e.g. foo.com, but it also contains many entries where the domain is the same but the subdomains are different, e.g. abc.bar.com, xyz.bar.com, and so on.

This caused us to think: are there reasons for blacklisting some subdomains of a domain but not the whole domain? This is an important question for us because it will affect how we design the list-checking logic: does the entire query need to match an entire entry in the list to be marked as blacklisted? Or does only the registered domain (SLD.TLD) need to match the registered domain of any entry in the list?

We tried to find literature on this but it was to no avail.

kjwill555
  • 3
  • 1
  • 1
    It depends entirely on how the list was made. It could be either. You might be able to get an idea from looking at if a full domain and a subdomain for that name both appear or not, but you really need to know the specification of the list to know how it is supposed to be applied. – AJ Henderson Jul 17 '17 at 17:24

2 Answers2

2

are there reasons for blacklisting some subdomains of a domain but not the whole domain?

Yes. For example, a free domain hosting service such as http://000webhost.com would offer their users a domain address such as PICKYOURSUBDOMAIN.abc.com. Here the user using the free web hosting service could pick their own name for the subdomain and multiple users are sharing abc.com.

Malicious user M can now host, let's say, a phishing page on malicious.abc.com and you would need to blacklist it. However, another user might be hosting a perfectly legit website at legit.abc.com on the same domain. Hence, it is more effective to block malicious.abc.com than abc.com.

whoami
  • 1,366
  • 9
  • 17
1

Entire string match when looking at domain makes a greater sense. Think about the pitfalls if this is not done. If the blacklist says block abc.amazonaws.com, blocking the entire Amazon AWS service could be detrimental to the business.

Similarly, dynamic DNS based domains provide another level of difficulty when building the blacklist. Botnets and malicious operators are known to host their servers using dynamic DNS providers. However, not all subdomains of such a provider (e.g. *.dyndns.org) are malicious. In such cases, however, you can take a subjective approach. If you do not expect hosts within your network to communicate with dynamic DNS providers in general, you can block such a domain.

sandyp
  • 1,146
  • 1
  • 9
  • 17