Suricata & DNS blocking

Hello,

We had discussion about blocking things with DNS like pihole previously, and just recently as I have been testing suricata out, I noticed that it is catching DNS queries and doing DNS blocking! So it seems that Suricat already can do what it is I desire!

Here is an example from my IPS log of a domain I =tried to access that was caught by Suricata:

Date: 01/12 22:42:48 Name: ET INFO DNS Query for Suspicious .ml Domain
Priority: 2 Type: Potentially Bad Traffic
IP info: 192.168.3.23:49475 -> 192.168.3.1:53
References: none found SID: 2025106

So I guess perhaps there could be a way to make Suricata rules to do what I wanted to achieve originally? What do people think about this?

Although I am aware I will need to think about DoH as it won’t be caught like this.

But I think given that ipfire already has mechanism to update Suricata rules every day, it would just be a matter to update the PhishArmy rules I make for Suricata every day right?