[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Blocking of domain strings in iptables

Subject: Blocking of domain strings in iptables
From: bill at herrin.us (William Herrin)
Date: Sat, 8 Feb 2014 09:40:27 -0500
In-reply-to: <CAHsqw9vcmp=2nZ-4H3xdEuzBygHvSSo7R0+JnASTV-o=aFLJQg@mail.gmail.com>
References: <CAJ0+aXawxFrQqr7srOOYX97CyOn-jSHeGQnsXL_yHtUSK2Awvg@mail.gmail.com> <CAHsqw9vcmp=2nZ-4H3xdEuzBygHvSSo7R0+JnASTV-o=aFLJQg@mail.gmail.com>

On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff <jof at thejof.com> wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).

Howdy,

The DNS query essentially always contains the full string in a
sequence. It doesn't *have* to per the protocol but you'll be hard
pressed to find a real-world example where it doesn't.

The catch is, the dots aren't encoded. The components of the name
being queried are separated by a byte indicating the length of the
next piece. So, instead of www.google.com the query packet contains
www 0x06 google 0x03 com.

You can implement this with --hex-string instead of --string but
you'll have to convert the entire thing to hex first

Regards,
Bill Herrin

-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Follow-Ups:
- Blocking of domain strings in iptables
  - From: dmiller at tiggee.com (David Miller)

References:
- Blocking of domain strings in iptables
  - From: me at anuragbhatia.com (Anurag Bhatia)
- Blocking of domain strings in iptables
  - From: jof at thejof.com (Jonathan Lassoff)

Prev by Date: carrier comparison
Next by Date: Blocking of domain strings in iptables
Previous by thread: Blocking of domain strings in iptables
Next by thread: Blocking of domain strings in iptables
Index(es):
- Date
- Thread