My first thought here is to create a custom vulnerability object using a pattern-match on the query. Then make the default action to drop the packet and apply the vulnerability object to a rule (through a new profile or non-default profile). However, custom vulnerability objects using pattern-matching require 7 fixed bytes of data. For example, a DNS query for record type A class IN only contains 4 bytes (0x00010001) in the "dns-req-section" context. So we have a problem, we don't have enough data to pattern-match against for specific record type. Question: Can we use bytes immediately before or after the data we care about to help us out? Maybe. The A record request would typically not contain additional RRs (at least none we can reliably pattern match) so after the query, there is no data to match on. We could match on data before the type A class IN, but then we have to know what the actual query would be (ie. the host, subs, domain, and tld.) There is a compromise if you wouldn't be opposed to some tedium. Within the custom vulnerability object you can create multiple signatures, each that include just the common TLDs (com, org, gov, info). There is a fairly detailed write-up of creating custom threat signatures and I'll also provide an example: Creating Custom Threat Signatures Creating the Object On the device or Panorama go to 'Objects' -> 'Vulnerability' under custom objects. Click 'Add' Give it a Threat ID, Name, Comment etc. I'd just be sure to make the severity 'high' or greater and select 'Drop Packets' as the default action. Click on the Signatures tab. Standard is what you want. Click Add to add a new signature Creating the Patterns You'll want it to be 'Transaction' based and the order shouldn't matter since I'd create 'OR' conditions for different TLDs Add Or Condition (for .com A record queries) Operator - pattern-match Context - dns-req-section Pattern - \x03636f6d0000010001\x Repeat step 2 for other TLDs you want to include. Make sure they are 'Or' conditions and not 'And' or it'll never trigger. This is a 9 byte pattern and if you only care about PTR records making it passed, this shouldn't trigger on false positives. Anyone else using this might want to put it in 'alert' mode and enable packet capture to make sure it doesn't trigger. You should be able to create multiple 'OR' conditions for the .org .info .gov etc domains in the same object. I didn't test that though. My splunk guy gets mad when I shovel a bunch of new logs into the indexer without telling him Hope this achieves what you want.
... View more