Blocking of domain strings in iptables

Jonathan Lassoff jof at thejof.com
Sat Feb 8 08:34:45 UTC 2014


This is going to be tricky to do, as DNS packets don't necessarily contain
entire query values or FQDNs as complete strings due to packet label
compression (remember, original DNS only has 512 bytes to work with).

You can use those u32 module matches to find some known-bad packets if
they're sufficiently unique, but it simply lacks enough logic to fully
parse DNS queries.
Here's an interesting example to visualize what's happening:
http://dnsamplificationattacks.blogspot.com/p/iptables-block-list.html

One quick thing that would work would be to match a single label (e.g.
"google", but not "google.com"), but this will end up blocking any frames
with that substring in it (e.g. you want to block "evil.com", but this also
blocks "evil.example.com").

If you find yourself needing to parse and block DNS packets based on their
content in a more flexible way, I would look into either making an iptables
module that does the DNS parsing (
http://inai.de/documents/Netfilter_Modules.pdf), or using a userspace
library like with NFQUEUE (e.g. https://pypi.python.org/pypi/NetfilterQueue)
or l7-filter (http://l7-filter.sourceforge.net/).

Best of luck and happy hacking!

Cheers,
jof



On Sat, Feb 8, 2014 at 12:08 AM, Anurag Bhatia <me at anuragbhatia.com> wrote:

> Hello everyone
>
>
> I am trying to figure out the way to drop a domain name DNS resolution
> before it hits application server. I do not want to do domain to IP mapping
> and block destination IP (and source IP blocking is also not an option).
>
> I can see that a string like this:
>
> iptables -A INPUT -p udp -m udp --dport 53 -m string --string "domain"
> --algo kmp --to 65535 -j DROP
>
>
> this can block "domain" which includes domain.com/domain.net and
> everything
> in that pattern. I tried using hexadecimal string for value like domaincom
> (hexa equivalent) and firewall doesn't pics that at all.
>
> The only other option which I found to be working nicely is u32 based
> string as something suggested on DNS amplification blog post here -
>
> http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html
>
>
> A string like this as suggested on above link works exactly for that domain
>
> iptables --insert INPUT -p udp --dport 53 -m u32 --u32
> "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c &&
> 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f &&
> 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 &&
> 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q
> dnsamplificationattacks.cc"
>
>
> but here I am not sure how to create such string out and script them for
> automation.
>
>
>
> Can someone suggest a way out for this within IPTables or may be some other
> open source firewall?
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
> Twitter<https://twitter.com/anurag_bhatia>
> Skype: anuragbhatia.com
>
> PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
>


More information about the NANOG mailing list