Blocking of domain strings in iptables

Paul Ferguson fergdawgster at mykolab.com
Sat Feb 8 16:30:14 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Have you looked at perhaps using DNS RPZ (Response Policy Zones)?

https://dnsrpz.info/

- - ferg


On 2/8/2014 12:08 AM, Anurag Bhatia wrote:

> Hello everyone
> 
> 
> I am trying to figure out the way to drop a domain name DNS 
> resolution before it hits application server. I do not want to do 
> domain to IP mapping and block destination IP (and source IP 
> blocking is also not an option).
> 
> I can see that a string like this:
> 
> iptables -A INPUT -p udp -m udp --dport 53 -m string --string 
> "domain" --algo kmp --to 65535 -j DROP
> 
> 
> this can block "domain" which includes domain.com/domain.net and 
> everything in that pattern. I tried using hexadecimal string for 
> value like domaincom (hexa equivalent) and firewall doesn't pics 
> that at all.
> 
> The only other option which I found to be working nicely is u32 
> based string as something suggested on DNS amplification blog post 
> here - 
> http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html
>
>
> 
> 
> A string like this as suggested on above link works exactly for 
> that domain
> 
> iptables --insert INPUT -p udp --dport 53 -m u32 --u32 
> "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && 
> 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && 
> 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && 
> 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS 
> Q dnsamplificationattacks.cc"
> 
> 
> but here I am not sure how to create such string out and script 
> them for automation.
> 
> 
> 
> Can someone suggest a way out for this within IPTables or may be 
> some other open source firewall?
> 
> 
> Thanks.
> 


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlL2W5YACgkQKJasdVTchbJ+qAD+NP7VDzOK2m416hCvi0Mm3rq+
WA7kTOGgXWQGuz20F/cA/3YOsrrlYIL0plRPRUW1Qex2zZfhG4Z/pO63zA0u8DBE
=AfV6
-----END PGP SIGNATURE-----



More information about the NANOG mailing list