nanog mailing list archives
Re: Blocking of domain strings in iptables
From: David Miller <dmiller () tiggee com>
Date: Sat, 08 Feb 2014 12:47:09 -0500
On 02/08/2014 09:40 AM, William Herrin wrote:
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof () thejof com> wrote:This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression (remember, original DNS only has 512 bytes to work with).Howdy, The DNS query essentially always contains the full string in a sequence. It doesn't *have* to per the protocol but you'll be hard pressed to find a real-world example where it doesn't. The catch is, the dots aren't encoded. The components of the name being queried are separated by a byte indicating the length of the next piece. So, instead of www.google.com the query packet contains www 0x06 google 0x03 com.
For the completeness of the archives, the length of the first token is also encoded and final terminator is 0. 0x03 www 0x06 google 0x03 com 0x00 -DMM
You can implement this with --hex-string instead of --string but you'll have to convert the entire thing to hex first Regards, Bill Herrin
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Blocking of domain strings in iptables Anurag Bhatia (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Miller (Feb 08)
- Re: Blocking of domain strings in iptables Anurag Bhatia (Feb 12)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Ford (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables Paul Ferguson (Feb 08)
- Re: Blocking of domain strings in iptables TR Shaw (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)