[169003] in North American Network Operators' Group
Re: Blocking of domain strings in iptables
daemon@ATHENA.MIT.EDU (David Miller)
Sat Feb 8 12:47:33 2014
Date: Sat, 08 Feb 2014 12:47:09 -0500
From: David Miller <dmiller@tiggee.com>
To: NANOG Mailing List <nanog@nanog.org>
In-Reply-To: <CAP-guGWooLN9Td638mbS2Qt+B23OZ=kZGpLaYeXrLWKf7FQHYA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qbRhg4VWG1oqU9VOurxA0WbGWbGMWkfSl
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 02/08/2014 09:40 AM, William Herrin wrote:
> On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof@thejof.com> wrote=
:
>> This is going to be tricky to do, as DNS packets don't necessarily con=
tain
>> entire query values or FQDNs as complete strings due to packet label
>> compression (remember, original DNS only has 512 bytes to work with).
>=20
> Howdy,
>=20
> The DNS query essentially always contains the full string in a
> sequence. It doesn't *have* to per the protocol but you'll be hard
> pressed to find a real-world example where it doesn't.
>=20
> The catch is, the dots aren't encoded. The components of the name
> being queried are separated by a byte indicating the length of the
> next piece. So, instead of www.google.com the query packet contains
> www 0x06 google 0x03 com.
For the completeness of the archives, the length of the first token is
also encoded and final terminator is 0.
0x03 www 0x06 google 0x03 com 0x00
-DMM
>=20
> You can implement this with --hex-string instead of --string but
> you'll have to convert the entire thing to hex first
>=20
> Regards,
> Bill Herrin
>=20
>=20
--qbRhg4VWG1oqU9VOurxA0WbGWbGMWkfSl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS9m2dAAoJEGUsrwgrL4kdkvMH/jxoslT3GZYFCscOdgPMuxmu
AmRlEn3150Fh6sXIwMIJAWPEoOlBT1DAOCy1ydqwM/GU/OH7k+woXCG3JAxD9HbE
m6xczAhZMsilgSqNNBKd0ySvltnClD9jDPKFF7yGflClcDeX5gnmYxKw3Othcm8H
RteO36+tvKGq4jzxyVz+dRVkz6Yx8rl6ZJD8CFeyObQ78wgdr0fQDaOAi783AhqT
DJVjxzhUT830EhYMapZmkaU/0zkBQsJSH/2zs8rPvQdVpJB3fqZm+w8/J0NFtOKg
gjSQu1/3co/1P7nvnFpmOJAiscy9At4TO0HiX6WGTpiWeF/YsTkHSokUWs93r8o=
=nEY+
-----END PGP SIGNATURE-----
--qbRhg4VWG1oqU9VOurxA0WbGWbGMWkfSl--
