Hello everyone
I am trying to figure out the way to drop a domain name DNS resolution
before it hits application server. I do not want to do domain to IP mapping
and block destination IP (and source IP blocking is also not an option).
I can see that a string like this:
iptables -A INPUT -p udp
This is going to be tricky to do, as DNS packets don't necessarily contain
entire query values or FQDNs as complete strings due to packet label
compression (remember, original DNS only has 512 bytes to work with).
You can use those u32 module matches to find some known-bad packets if
they're suffi
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).
Howdy,
The DNS query
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
https://dnsrpz.info/
- - ferg
On 2/8/2014 12:08 AM, Anurag Bhatia wrote:
> Hello everyone
>
>
> I am trying to figure out the way to drop a domain name DNS
> resolution before
You could use RPZ but wouldn't something as simple as putting these two entries
in a host files meet the mail?
Tom
On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:
> Signed PGP part
> Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
>
> https://dnsrpz.info/
>
> - ferg
>
>
I implemented this easily some time ago due to a situation where product
development was unable or unwilling to disable open resolvers.
i'll post my ruleset then describe it then describe it since it contains
multiple functions.
Chain INPUT (policy ACCEPT 68M packets, 4377M bytes)
pkts b
On Sat, Feb 08, 2014 at 12:34:45AM -0800,
Jonathan Lassoff wrote
a message of 88 lines which said:
> This is going to be tricky to do, as DNS packets don't necessarily
> contain entire query values or FQDNs as complete strings due to
> packet label compression
Apprently, the OP wanted to matc
On Sat, Feb 08, 2014 at 01:38:13PM +0530,
Anurag Bhatia wrote
a message of 54 lines which said:
> but here I am not sure how to create such string out and script them
> for automation.
Use this program:
http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py
On 02/08/2014 09:40 AM, William Herrin wrote:
> On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff wrote:
>> This is going to be tricky to do, as DNS packets don't necessarily contain
>> entire query values or FQDNs as complete strings due to packet label
>> compression (remember, original DNS only
Thanks everyone for useful responses. I almost used script mentioned by
Stephane (http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py)
but I realized that for a rule for "domain.com" it blocks "domain.com" only
and their was no easy way out to block subdomains as well. In last few da
10 matches
Mail list logo
