Blocking of domain strings in iptables

William Herrin bill at
Sat Feb 8 14:40:27 UTC 2014

On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at> wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).


The DNS query essentially always contains the full string in a
sequence. It doesn't *have* to per the protocol but you'll be hard
pressed to find a real-world example where it doesn't.

The catch is, the dots aren't encoded. The components of the name
being queried are separated by a byte indicating the length of the
next piece. So, instead of the query packet contains
www 0x06 google 0x03 com.

You can implement this with --hex-string instead of --string but
you'll have to convert the entire thing to hex first

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list