[168999] in North American Network Operators' Group
Re: Blocking of domain strings in iptables
daemon@ATHENA.MIT.EDU (TR Shaw)
Sat Feb 8 11:46:47 2014
From: TR Shaw <tshaw@oitc.com>
In-Reply-To: <52F65B96.1010902@mykolab.com>
Date: Sat, 8 Feb 2014 11:46:22 -0500
To: fergdawgster@mykolab.com
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_C7358A2A-5BA5-4607-A162-BBE95076C705
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
You could use RPZ but wouldn't something as simple as putting these two =
entries in a host files meet the mail?
Tom
On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:
> Signed PGP part
> Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
>=20
> https://dnsrpz.info/
>=20
> - ferg
>=20
>=20
> On 2/8/2014 12:08 AM, Anurag Bhatia wrote:
>=20
> > Hello everyone
> >
> >
> > I am trying to figure out the way to drop a domain name DNS
> > resolution before it hits application server. I do not want to do
> > domain to IP mapping and block destination IP (and source IP
> > blocking is also not an option).
> >
> > I can see that a string like this:
> >
> > iptables -A INPUT -p udp -m udp --dport 53 -m string --string
> > "domain" --algo kmp --to 65535 -j DROP
> >
> >
> > this can block "domain" which includes domain.com/domain.net and
> > everything in that pattern. I tried using hexadecimal string for
> > value like domaincom (hexa equivalent) and firewall doesn't pics
> > that at all.
> >
> > The only other option which I found to be working nicely is u32
> > based string as something suggested on DNS amplification blog post
> > here -
> > =
http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplification=
attackscc.html
> >
> >
> >
> >
> > A string like this as suggested on above link works exactly for
> > that domain
> >
> > iptables --insert INPUT -p udp --dport 53 -m u32 --u32
> > "0x28&0xFFDFDFDF=3D0x17444e53 && 0x2c&0xDFDFDFDF=3D0x414d504c &&
> > 0x30&0xDFDFDFDF=3D0x49464943 && 0x34&0xDFDFDFDF=3D0x4154494f &&
> > 0x38&0xDFDFDFDF=3D0x4e415454 && 0x3c&0xDFDFDFDF=3D0x41434b53 &&
> > 0x40&0xFFDFDFFF=3D0x02434300" -j DROP -m comment --comment "DROP DNS
> > Q dnsamplificationattacks.cc"
> >
> >
> > but here I am not sure how to create such string out and script
> > them for automation.
> >
> >
> >
> > Can someone suggest a way out for this within IPTables or may be
> > some other open source firewall?
> >
> >
> > Thanks.
> >
>=20
>=20
> --
> Paul Ferguson
> VP Threat Intelligence, IID
> PGP Public Key ID: 0x54DC85B2
>=20
>=20
--Apple-Mail=_C7358A2A-5BA5-4607-A162-BBE95076C705
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlL2X18ACgkQloE8gnDJj8PJDQCdEOiWnbn5Dber8JPfxV5RUjjW
EMAAn3a+umuBHA0EHTORGujE/0Uu9bSZ
=GI1U
-----END PGP SIGNATURE-----
--Apple-Mail=_C7358A2A-5BA5-4607-A162-BBE95076C705--
