nanog mailing list archives
Re: Blocking of domain strings in iptables
From: TR Shaw <tshaw () oitc com>
Date: Sat, 8 Feb 2014 11:46:22 -0500
You could use RPZ but wouldn't something as simple as putting these two entries in a host files meet the mail? Tom On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:
Signed PGP part Have you looked at perhaps using DNS RPZ (Response Policy Zones)? https://dnsrpz.info/ - ferg On 2/8/2014 12:08 AM, Anurag Bhatia wrote:Hello everyone I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option). I can see that a string like this: iptables -A INPUT -p udp -m udp --dport 53 -m string --string "domain" --algo kmp --to 65535 -j DROP this can block "domain" which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all. The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html A string like this as suggested on above link works exactly for that domain iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q dnsamplificationattacks.cc" but here I am not sure how to create such string out and script them for automation. Can someone suggest a way out for this within IPTables or may be some other open source firewall? Thanks.-- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Blocking of domain strings in iptables Anurag Bhatia (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Miller (Feb 08)
- Re: Blocking of domain strings in iptables Anurag Bhatia (Feb 12)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Ford (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables Paul Ferguson (Feb 08)
- Re: Blocking of domain strings in iptables TR Shaw (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)