Suricata

Problem
There is currently no way to use datasets to block a domain and all its subdomains. The existing domain; transform extracts the registrable domain (eTLD+1), which is useful for normalization but not for subdomain-level blocklists.

For example, adding mail.evil.com to a dataset and using domain; will never match. The transform reduces a query like sub.mail.evil.com to evil.com before the dataset lookup, and it would not match. Only base domains work with domain; which makes it impossible to maintain subdomain blocklists.

The dotprefix; content; endswith; pattern does handle subdomains correctly, but endswith cannot be combined with a dataset.

Proposal
Add a match subdomain option to the dataset keyword. When set, the lookup walks up the domain hierarchy checking each level against the dataset until a match is found.

Example rule:

reject dns any any -> any any (msg:"Blocked domain"; dns.query; dotprefix; dataset:isset,blocked-domains,type string,match subdomain,load blocked-domains.lst; sid:1; rev:1;)

With .mail.evil.com in the dataset, this matches mail.evil.com , sub.mail.evil.com , etc.

https://redmine.openinfosecfoundation.org/issues/6802 mentions something similar to this.