Blocking of domain strings in iptables
bill at herrin.us
Sat Feb 8 14:40:27 UTC 2014
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at thejof.com> wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).
The DNS query essentially always contains the full string in a
sequence. It doesn't *have* to per the protocol but you'll be hard
pressed to find a real-world example where it doesn't.
The catch is, the dots aren't encoded. The components of the name
being queried are separated by a byte indicating the length of the
next piece. So, instead of www.google.com the query packet contains
www 0x06 google 0x03 com.
You can implement this with --hex-string instead of --string but
you'll have to convert the entire thing to hex first
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG