How to Block Top Level Domain with Sonicwall

What Network Objects and/or Firewall Rules could I use (or would I have to create) to block an entire top level domain with my Sonicwall?  We have no need to communicate with anyone not on a .com, .net, or .org domain and the spammers have been finding ingenious ways to bug the hell out of me from their .us, .in, .info, .biz, etc. domains.  I'd like to block all of these newer top level domains in a relatively easy fashion.  It's extreme yes, but I'm up against the clock.  Thanks in advance!
Mister Porsche GT3Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is how it did it on our Sonicwall NSA E5500

The top level domains can be blocked by adding them to the keywords blocking section. Browse to Security Services>Content Filter and then click configure. Then click on the custom list tab. Under the Keyword Blocking add the top level domain which would be blocked. Examples are .com, .net, .biz, .info, etc. Be sure to include the dot/period
Attached is a image of the screen I used.
Mister Porsche GT3Author Commented:
Thanks John, but I neglected to mention that this is incoming traffic.  If I'm not mistaken, CFS is only to limit my employees from going to these sites correct?  I'm basically looking for a solution to block ALL emails coming from any domain EXCEPT .com, .net, and .org.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

bbaoIT ConsultantCommented:
@Mister Porsche GT3

you are right, CFS applies to web access only which means you can't use this way to filter general IP traffic this way, including email traffic.

unfortunately, the objects in SonicWALL must be IP addresses in numbers, hence domain based filter won't be applicable to SonicWALL objects. therefore your requirement CANNOT be fulfilled by your SonicWALL whatever it is running Standard or Enhanced version.

what you expect can be done by setting up your own DNS server which will be handling all your outgoing DNS requests against all domains. you may simply configure this DNS server to resolve ALL unwanted top domains (actually ANY unwanted domain) itself instead of forwarding the requests to up-level DNS server on the Internet (this is for allowed domains).

simply resolve these unwanted domain to or an unused INTERNAL address, then all traffic to these domains will become nothing, never be accessible. sounds like what you need?

this method applies to all outgoing traffic, including ANY email traffic, so the spam links to the unwanted domains will be NEVER valid again.

does it make sense?
Aaron TomoskyDirector of Solutions ConsultingCommented:
inckming traffic to the sonicwall is only an ip. DNS is for outgoing only. You can make address objects and they work for both in and out, but their star only goes one level deep. So *.biz won't block

Any chance you are concerned about email, not web access? What are these "spammers" actually hitting on your network to bother you?
Mister Porsche GT3Author Commented:

Yes, the concern is strictly regarding email traffic.  My employees don't actively seek them out.  Unfortunately, I am a member of a few organizations that blast out your email address "as a favor" to everyone else on their lists once you join their organization.  Once that happens, you get passed around quickly and some of those folks might even have viruses that bombard you.  To make a long story short...we're getting 2000+ emails a day that are complete garbage and seem to have found their way around Sonicwall's paid SPAM washing service.  Most of the emails are from junk domains like .biz, .us, .info, .adv, etc.
Mister Porsche GT3Author Commented:

I'm not worried about my employees following the phishing links to the incoming SPAM.  I just don't want to receive the SPAM at all.  So I'd like to block ALL incoming email except from the three top level domains.  Drastic I know, but I have interest talking to anyone but a few folks who don't have a URL in the top three.  For those few I can add them to a white list.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Alright now we are getting somewhere. What's your email server?
Mister Porsche GT3Author Commented:
Exchange 2013 with DAG
Aaron TomoskyDirector of Solutions ConsultingCommented:
yeah, that's super easy to block right in exchange
Mister Porsche GT3Author Commented:

We tried this, but the MAIL FROM header is too easily spoofed.  I tried blocking *.info for example in Exchange and kept getting emails from (which is nearly impossible to block of course because they just increment the number and keep sending).  I'd like to figure out a way to block *.info while still performing something similar to a reverse DNS lookup.  I know you can use SPF records, but not everyone uses them and it's an "all or nothing" rule for blocking so even that is not a viable solution.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Hence the existence of services you can pass your mail through. It's a never ending battle, but if you can knock out the majority of things, end users will have less to deal with.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mister Porsche GT3Author Commented:

I'll go ahead and give you the credit even though I'm still looking for an answer.  We have the Sonicwall SPAM washing subscription and it is useless.  I won't be renewing it.  Is Barracuda any better?
Aaron TomoskyDirector of Solutions ConsultingCommented:
Never used barracuda, I think they are all beefy appliances, good reputation though. I've worked with a few larger orgs that use them and they seem powerful.

Do you really want to host your own? Have you looked at comodo or one of the other cloud services?
Mister Porsche GT3Author Commented:
Unfortunately, a full cloud service is not an option.  Let's just say my customer is rather private...  ;-)
Aaron TomoskyDirector of Solutions ConsultingCommented:
Best reason there is to run your own mail server.

As I don't have experience with any of them I won't mention any by name. Search for self hosted exchange spam filter and you will find lots of options
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.