Blocking of domain strings in iptables

TR Shaw tshaw at oitc.com
Sat Feb 8 16:46:22 UTC 2014


You could use RPZ but wouldn't something as simple as putting these two entries in a host files meet the mail?

Tom


On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:

> Signed PGP part
> Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
> 
> https://dnsrpz.info/
> 
> - ferg
> 
> 
> On 2/8/2014 12:08 AM, Anurag Bhatia wrote:
> 
> > Hello everyone
> >
> >
> > I am trying to figure out the way to drop a domain name DNS
> > resolution before it hits application server. I do not want to do
> > domain to IP mapping and block destination IP (and source IP
> > blocking is also not an option).
> >
> > I can see that a string like this:
> >
> > iptables -A INPUT -p udp -m udp --dport 53 -m string --string
> > "domain" --algo kmp --to 65535 -j DROP
> >
> >
> > this can block "domain" which includes domain.com/domain.net and
> > everything in that pattern. I tried using hexadecimal string for
> > value like domaincom (hexa equivalent) and firewall doesn't pics
> > that at all.
> >
> > The only other option which I found to be working nicely is u32
> > based string as something suggested on DNS amplification blog post
> > here -
> > http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html
> >
> >
> >
> >
> > A string like this as suggested on above link works exactly for
> > that domain
> >
> > iptables --insert INPUT -p udp --dport 53 -m u32 --u32
> > "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c &&
> > 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f &&
> > 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 &&
> > 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS
> > Q dnsamplificationattacks.cc"
> >
> >
> > but here I am not sure how to create such string out and script
> > them for automation.
> >
> >
> >
> > Can someone suggest a way out for this within IPTables or may be
> > some other open source firewall?
> >
> >
> > Thanks.
> >
> 
> 
> --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140208/8ffc4507/attachment.bin>


More information about the NANOG mailing list