[169001] in North American Network Operators' Group
Re: Blocking of domain strings in iptables
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Sat Feb 8 12:17:20 2014
Date: Sat, 8 Feb 2014 18:16:45 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Jonathan Lassoff <jof@thejof.com>
In-Reply-To: <CAHsqw9vcmp=2nZ-4H3xdEuzBygHvSSo7R0+JnASTV-o=aFLJQg@mail.gmail.com>
Cc: NANOG Mailing List <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Feb 08, 2014 at 12:34:45AM -0800,
Jonathan Lassoff <jof@thejof.com> wrote
a message of 88 lines which said:
> This is going to be tricky to do, as DNS packets don't necessarily
> contain entire query values or FQDNs as complete strings due to
> packet label compression
Apprently, the OP wanted to match the *question* in a *query* and
these are never compressed (they could, in theory, but are not).
> You can use those u32 module matches to find some known-bad packets
> if they're sufficiently unique, but it simply lacks enough logic to
> fully parse DNS queries.
u32's language is not Turing-complete but It is sufficient in the case
presented here.
