Blocking of domain strings in iptables

Sat Feb 8 08:08:13 UTC 2014

Hello everyone

I am trying to figure out the way to drop a domain name DNS resolution
before it hits application server. I do not want to do domain to IP mapping
and block destination IP (and source IP blocking is also not an option).

I can see that a string like this:

iptables -A INPUT -p udp -m udp --dport 53 -m string --string "domain"
--algo kmp --to 65535 -j DROP

this can block "domain" which includes domain.com/domain.net and everything
in that pattern. I tried using hexadecimal string for value like domaincom
(hexa equivalent) and firewall doesn't pics that at all.

The only other option which I found to be working nicely is u32 based
string as something suggested on DNS amplification blog post here -
http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html

A string like this as suggested on above link works exactly for that domain

iptables --insert INPUT -p udp --dport 53 -m u32 --u32
"0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c &&
0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f &&
0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 &&
0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q
dnsamplificationattacks.cc"

but here I am not sure how to create such string out and script them for
automation.

Can someone suggest a way out for this within IPTables or may be some other
open source firewall?

Thanks.

-- 

Anurag Bhatia
anuragbhatia.com

Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
Twitter<https://twitter.com/anurag_bhatia>
Skype: anuragbhatia.com

PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2