nanog mailing list archives
Re: Blocking of domain strings in iptables
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Sat, 8 Feb 2014 18:16:45 +0100
On Sat, Feb 08, 2014 at 12:34:45AM -0800, Jonathan Lassoff <jof () thejof com> wrote a message of 88 lines which said:
This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression
Apprently, the OP wanted to match the *question* in a *query* and these are never compressed (they could, in theory, but are not).
You can use those u32 module matches to find some known-bad packets if they're sufficiently unique, but it simply lacks enough logic to fully parse DNS queries.
u32's language is not Turing-complete but It is sufficient in the case presented here.
Current thread:
- Blocking of domain strings in iptables Anurag Bhatia (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Miller (Feb 08)
- Re: Blocking of domain strings in iptables Anurag Bhatia (Feb 12)
- Re: Blocking of domain strings in iptables William Herrin (Feb 08)
- Re: Blocking of domain strings in iptables David Ford (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)
- Re: Blocking of domain strings in iptables Jonathan Lassoff (Feb 08)
- Re: Blocking of domain strings in iptables Paul Ferguson (Feb 08)
- Re: Blocking of domain strings in iptables TR Shaw (Feb 08)
- Re: Blocking of domain strings in iptables Stephane Bortzmeyer (Feb 08)