How to Block Top Level Domains Using the Intrusion Protection & Detection Application of Crystal Eye?
Top Level Domains (TLDs) can be blocked using the Local Rules feature of Crystal Eye’s Intrusion Protection & Detection application.
The Local Rules feature of the IDS/IPS app is a powerful feature that can be used to develop rules to restrict access to specific TLDs such as .cm, .net, .org, etc
Let's create a Local IDS/IPS rule to block a Chinese top level domain i.e .cn.
| The following local rule must be created and enabled if the Intrusion Protection & Detection application is running on Prevention Mode. This Local Rule will block the required top level domain i.e .cn |
|---|
Step 1: Go to Security Configuration > Intrusion Protection Detection
Step 2: In the Intrusion Protection & Detection app page, click Rulesets, Categories, and Rules tab.
Step 3: You will now see the Rulesets, Categories, and Rules switch view. Click the Add button in the Local Rules section.
Step 4: You will now see the Add Local Rule page. Select DNS Resolving Protocol in the Type of Protocol to Match dropdown.
Step 5: Select $HOME_NET from the Source Network dropdown.
Step 6: Enter RP new DNS Query for .cn TLD in the Message that will append in log if packet is matching rule textbox.
Step 7: Enter dns_query; dotprefix; content:".cm"; endswith; in the Content Match and Keywords textbox.
Step 8: Select Potentially Bad Traffic from the Classification of Rule dropdown.
Step 9: Enter ‘10’ in the Priority of rule textbox and click the Add button.
Step 10: You will now see the newly created rule in the Local Rule section.
Step 11: Click the IDS/IPS configuration tab.
Step 12: Click the Edit button in the Intrusion Mode section.
Step 13: You will now see the Intrusion Mode page. Select Prevention from the Select Mode dropdown and click the Update button.
Step 14: You will now see the message “Intrusion Mode Updated Successfully” and the Intrusion mode will now be changed to Prevention mode. 
Step 15: Now click the Rulesets, Categories & Rules tab.
Step 16: Identify the rule created earlier and click the Option dropdown button and select Convert to Drop.
| The following local rule must be created and enabled if the Intrusion Protection & Detection application is running on Detection & Prevention Mode. This Local Rule will block the required top level domain i.e .cn |
|---|
Step 1: Go to Security Configuration > Intrusion Protection Detection
Step 2: In the Intrusion Protection & Detection app page, click Rulesets, Categories, and Rules tab.
Step 3: You will now see the Rulesets, Categories, and Rules switch view. Click the Add button in the Local Rules section. 
Step 4: You will now see the Add Local Rule page. Select DNS Resolving Protocol in the Type of Protocol to Match dropdown.
Step 5: Select $HOME_NET from the Source Network dropdown.
Step 6: Enter RP new DNS Query for .cn TLD in the Message that will append in log if packet is matching rule textbox.
Step 7: Enter dns_query; dotprefix; content:".cm"; endswith; in the Content Match and Keywords textbox.
Step 8: Select Potentially Bad Traffic from the Classification of Rule dropdown.
Step 9: Enter ‘10’ in the Priority of rule textbox and click the Add button.
Step 10: You will now see the newly created rule in the Local Rule section.
Step 11: Click the IDS/IPS configuration tab.
Step 12: Click the Edit button in the Intrusion Mode section.
Step 13: You will now see the Intrusion Mode page. Select Detection & Prevention from the Select Mode dropdown and click the Update button.
Step 14: You will now see the message “Intrusion Mode Updated Successfully” and the Intrusion mode will now be changed to Detection & Prevention mode. 
Step 15: Now click the Rulesets, Categories & Rules tab.
Step 16: Identify the rule created earlier and click the Option dropdown button and select Convert to Reject.
| Associated Links—Blocking TLDs in Crystal Eye |
|---|
| CE Manual - Adding New IDPS/IPS Local Rules |
| CE Manual - Banning Sites in Content Filter |
| Forum Post - Blocking Top Level Domains in Crystal Eye |