cancel
Showing results for 
Search instead for 
Did you mean: 
jstormo
Level 7

Blocking Internationalized Domain Names

Jump to solution

I'm trying to figure out how to block domains and domain suffixes which are using an internationalized domain name. The names begin with ascii xn-- and continue from there. An example site would be: xn--rksmrgs-5wao1o.josefsson.org.

I've tried wildcard/regex matching for "*xn--*" being in domain but that doesn't seem to work and ruletracing is showing the site hitting as: http://r%C3%A4ksm%C3%B6rg%C3%A5s.josefsson.org/ when web gateway sees it. I've also tried blocking "*%*" in the domain name but also no success. Any idea on how I should go about this?

Goal: Block sites using IDNs within domain or domain suffix.

0 Kudos
1 Solution

Accepted Solutions
jstormo
Level 7

Re: Blocking Internationalized Domain Names

Jump to solution

My own solution which is working well so far:

url.Raw does NOT match regex(^(?:https?:\/\/)*+(?Smiley Sad?!xn--).)+?(?:\/.*)?$)

*edit, removed |% from the negative lookahead group

0 Kudos
2 Replies
jstormo
Level 7

Re: Blocking Internationalized Domain Names

Jump to solution

My own solution which is working well so far:

url.Raw does NOT match regex(^(?:https?:\/\/)*+(?Smiley Sad?!xn--).)+?(?:\/.*)?$)

*edit, removed |% from the negative lookahead group

0 Kudos
Regis
Level 12

Re: Blocking Internationalized Domain Names

Jump to solution

Thanks for this tidbit.  Is it working well still?  For the regex-impaired, can you specify what the regex is doing and more importantly what action you're taking in the policy if that does not match is true?  Block?  Warning page?  

Also, sadly, the new support community framework has made a dog's breakfast of the regex I'm afraid.  Repasting: 

url.Raw does NOT match regex(^(?:https?:\/\/)*+(?Smiley Sad?!xn--).)+?(?:\/.*)?$)

or adding a __DELETEME__ to keep from auto-frown emoji to occur

url.Raw does NOT match regex(^(?:https?:\/\/)*+(?:__DELETEME__(?!xn--).)+?(?:\/.*)?$)

0 Kudos