[168997] in North American Network Operators' Group
Re: Blocking of domain strings in iptables
daemon@ATHENA.MIT.EDU (William Herrin)
Sat Feb 8 09:41:06 2014
In-Reply-To: <CAHsqw9vcmp=2nZ-4H3xdEuzBygHvSSo7R0+JnASTV-o=aFLJQg@mail.gmail.com>
From: William Herrin <bill@herrin.us>
Date: Sat, 8 Feb 2014 09:40:27 -0500
To: Jonathan Lassoff <jof@thejof.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof@thejof.com> wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).
Howdy,
The DNS query essentially always contains the full string in a
sequence. It doesn't *have* to per the protocol but you'll be hard
pressed to find a real-world example where it doesn't.
The catch is, the dots aren't encoded. The components of the name
being queried are separated by a byte indicating the length of the
next piece. So, instead of www.google.com the query packet contains
www 0x06 google 0x03 com.
You can implement this with --hex-string instead of --string but
you'll have to convert the entire thing to hex first
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
