You could use RPZ but wouldn't something as simple as putting these two entries in a host files meet the mail?
Tom On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote: > Signed PGP part > Have you looked at perhaps using DNS RPZ (Response Policy Zones)? > > https://dnsrpz.info/ > > - ferg > > > On 2/8/2014 12:08 AM, Anurag Bhatia wrote: > > > Hello everyone > > > > > > I am trying to figure out the way to drop a domain name DNS > > resolution before it hits application server. I do not want to do > > domain to IP mapping and block destination IP (and source IP > > blocking is also not an option). > > > > I can see that a string like this: > > > > iptables -A INPUT -p udp -m udp --dport 53 -m string --string > > "domain" --algo kmp --to 65535 -j DROP > > > > > > this can block "domain" which includes domain.com/domain.net and > > everything in that pattern. I tried using hexadecimal string for > > value like domaincom (hexa equivalent) and firewall doesn't pics > > that at all. > > > > The only other option which I found to be working nicely is u32 > > based string as something suggested on DNS amplification blog post > > here - > > http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationattackscc.html > > > > > > > > > > A string like this as suggested on above link works exactly for > > that domain > > > > iptables --insert INPUT -p udp --dport 53 -m u32 --u32 > > "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && > > 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && > > 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && > > 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS > > Q dnsamplificationattacks.cc" > > > > > > but here I am not sure how to create such string out and script > > them for automation. > > > > > > > > Can someone suggest a way out for this within IPTables or may be > > some other open source firewall? > > > > > > Thanks. > > > > > -- > Paul Ferguson > VP Threat Intelligence, IID > PGP Public Key ID: 0x54DC85B2 > >
signature.asc
Description: Message signed with OpenPGP using GPGMail