Blocking of domain strings in iptables

David Miller dmiller at
Sat Feb 8 17:47:09 UTC 2014

On 02/08/2014 09:40 AM, William Herrin wrote:
> On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at> wrote:
>> This is going to be tricky to do, as DNS packets don't necessarily contain
>> entire query values or FQDNs as complete strings due to packet label
>> compression (remember, original DNS only has 512 bytes to work with).
> Howdy,
> The DNS query essentially always contains the full string in a
> sequence. It doesn't *have* to per the protocol but you'll be hard
> pressed to find a real-world example where it doesn't.
> The catch is, the dots aren't encoded. The components of the name
> being queried are separated by a byte indicating the length of the
> next piece. So, instead of the query packet contains
> www 0x06 google 0x03 com.

For the completeness of the archives, the length of the first token is
also encoded and final terminator is 0.

0x03 www 0x06 google 0x03 com 0x00


> You can implement this with --hex-string instead of --string but
> you'll have to convert the entire thing to hex first
> Regards,
> Bill Herrin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the NANOG mailing list