-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
https://dnsrpz.info/ - - ferg On 2/8/2014 12:08 AM, Anurag Bhatia wrote: > Hello everyone > > > I am trying to figure out the way to drop a domain name DNS > resolution before it hits application server. I do not want to do > domain to IP mapping and block destination IP (and source IP > blocking is also not an option). > > I can see that a string like this: > > iptables -A INPUT -p udp -m udp --dport 53 -m string --string > "domain" --algo kmp --to 65535 -j DROP > > > this can block "domain" which includes domain.com/domain.net and > everything in that pattern. I tried using hexadecimal string for > value like domaincom (hexa equivalent) and firewall doesn't pics > that at all. > > The only other option which I found to be working nicely is u32 > based string as something suggested on DNS amplification blog post > here - > http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html > > > > > A string like this as suggested on above link works exactly for > that domain > > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 > "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && > 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && > 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && > 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS > Q dnsamplificationattacks.cc" > > > but here I am not sure how to create such string out and script > them for automation. > > > > Can someone suggest a way out for this within IPTables or may be > some other open source firewall? > > > Thanks. > - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlL2W5YACgkQKJasdVTchbJ+qAD+NP7VDzOK2m416hCvi0Mm3rq+ WA7kTOGgXWQGuz20F/cA/3YOsrrlYIL0plRPRUW1Qex2zZfhG4Z/pO63zA0u8DBE =AfV6 -----END PGP SIGNATURE-----