0

I am getting some denied DNS queries I'd like to ban using iptables, to avoid bind to send augmented replies to the server ... and that they're simply annoying in my logs.

(.): query (cache) './ANY/IN' denied

I know that, with queries like

(domain.com): query (cache) 'domain.com/ANY/IN' denied

I can block with just:

iptables -I INPUT -j DROP -p udp --dport 53 -m string --hex-string "|06|domain|03|com|0000ff0001|" --algo bm

But I'm not sure about this "generic" query to ./ANY/IN. At first it looks like something like this:

iptables -I INPUT -j DROP -p udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm

might do... but then I wonder if I won't be blocking queries for anything

(small note: usually people don't care about the last 00ff0001 bit I am using, they are the bytes for the query type and class, if you're curious about it)

Avenger
  • 21
  • 2
  • 2
    You want to drop certain packets.. in order to have an easier time reading logs? Sounds more like you want to start reading *filtered* logs in some human-friendly pager. – anx Aug 12 '21 at 04:48
  • Yes... and no. I also want bind not to respond such DoS queries. And I'm happy with watching the iptables rule match count raise for statistics. – Avenger Aug 12 '21 at 21:31
  • 1
    On the topic of "ANY" DNS queries, you might want to look at this before doing anything: https://datatracker.ietf.org/doc/html/rfc8482 ; filtering DNS queries at the transport level is often an idea that will backfire: the client not getting a reply will just again query your server (you can never forbid that, but if you provide a minimum reply a well behaved client may stop asking you...); except if you identify some specific bad IP addresses, and then you just ban them for any traffic. – Patrick Mevzek Aug 12 '21 at 21:55
  • Regarding your filtering: filtering DNS packets is far more complicated than that, in general. First you need to do it both in TCP and UDP. Second the hex-string you use may appear in many other parts of the packet hence you risk both false positive and negatives (and specially about names, as there is compression of names in DNS packets so a given domain name can be on the wire represented in different fashions) – Patrick Mevzek Aug 12 '21 at 21:59

0 Answers0