You could use RPZ but wouldn't something as simple as putting these two entries in a host files meet the mail? Tom On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:
Signed PGP part Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
- ferg
On 2/8/2014 12:08 AM, Anurag Bhatia wrote:
Hello everyone
I am trying to figure out the way to drop a domain name DNS resolution before it hits application server. I do not want to do domain to IP mapping and block destination IP (and source IP blocking is also not an option).
I can see that a string like this:
iptables -A INPUT -p udp -m udp --dport 53 -m string --string "domain" --algo kmp --to 65535 -j DROP
this can block "domain" which includes domain.com/domain.net and everything in that pattern. I tried using hexadecimal string for value like domaincom (hexa equivalent) and firewall doesn't pics that at all.
The only other option which I found to be working nicely is u32 based string as something suggested on DNS amplification blog post here - http://dnsamplificationattacks.blogspot.in/2013/12/domain-dnsamplificationat...
A string like this as suggested on above link works exactly for that domain
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x17444e53 && 0x2c&0xDFDFDFDF=0x414d504c && 0x30&0xDFDFDFDF=0x49464943 && 0x34&0xDFDFDFDF=0x4154494f && 0x38&0xDFDFDFDF=0x4e415454 && 0x3c&0xDFDFDFDF=0x41434b53 && 0x40&0xFFDFDFFF=0x02434300" -j DROP -m comment --comment "DROP DNS Q dnsamplificationattacks.cc"
but here I am not sure how to create such string out and script them for automation.
Can someone suggest a way out for this within IPTables or may be some other open source firewall?
Thanks.
-- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2