Blocking of domain strings in iptables

William Herrin bill at herrin.us
Sat Feb 8 14:40:27 UTC 2014


On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at thejof.com> wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).

Howdy,

The DNS query essentially always contains the full string in a
sequence. It doesn't *have* to per the protocol but you'll be hard
pressed to find a real-world example where it doesn't.

The catch is, the dots aren't encoded. The components of the name
being queried are separated by a byte indicating the length of the
next piece. So, instead of www.google.com the query packet contains
www 0x06 google 0x03 com.

You can implement this with --hex-string instead of --string but
you'll have to convert the entire thing to hex first

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004



More information about the NANOG mailing list