Blocking of domain strings in iptables

Anurag Bhatia me at anuragbhatia.com
Wed Feb 12 20:54:24 UTC 2014


Thanks everyone for useful responses. I almost used script mentioned by
Stephane (http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py)
but I realized that for a rule for "domain.com" it blocks "domain.com" only
and their was no easy way out to block subdomains as well. In last few days
after my post, I noticed traffic in pattern of sub1.sub2.domain.com where
sub1 and sub2 are randomly generated strings.


I tried creating .domain.com and other rules in u32 but didn't help for
subdomain. Also since there were very high number of subdomains (but
limited domains), possibility to generate u32 rule for each sub didn't made
sense. I re-visited Hexadecimal string with 03 and 00 for dot was actually
able to help.


RPZ and some other option I am still exploring.

Thanks.



On Sat, Feb 8, 2014 at 11:17 PM, David Miller <dmiller at tiggee.com> wrote:

> On 02/08/2014 09:40 AM, William Herrin wrote:
> > On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at thejof.com> wrote:
> >> This is going to be tricky to do, as DNS packets don't necessarily
> contain
> >> entire query values or FQDNs as complete strings due to packet label
> >> compression (remember, original DNS only has 512 bytes to work with).
> >
> > Howdy,
> >
> > The DNS query essentially always contains the full string in a
> > sequence. It doesn't *have* to per the protocol but you'll be hard
> > pressed to find a real-world example where it doesn't.
> >
> > The catch is, the dots aren't encoded. The components of the name
> > being queried are separated by a byte indicating the length of the
> > next piece. So, instead of www.google.com the query packet contains
> > www 0x06 google 0x03 com.
>
> For the completeness of the archives, the length of the first token is
> also encoded and final terminator is 0.
>
> 0x03 www 0x06 google 0x03 com 0x00
>
>
> -DMM
>
> >
> > You can implement this with --hex-string instead of --string but
> > you'll have to convert the entire thing to hex first
> >
> > Regards,
> > Bill Herrin
> >
> >
>
>
>
>


-- 


Anurag Bhatia
anuragbhatia.com

Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
Twitter<https://twitter.com/anurag_bhatia>
Skype: anuragbhatia.com

PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2


More information about the NANOG mailing list