I want to drop incoming DNS responses that contain 10.10.34.35. How can I do that?
I tried to it this way:
iptables -I INPUT -m udp -p udp --sport 53 -m string --algo kmp --hex-string '|31 30 02 31 30 02 33 34 02 33 35|' -j DROP
But it simply doesn't drop them and I still receive them. However simply doing iptables -I INPUT -m udp -p udp --sport 53 -j DROP blocks all of them coming from port 53, but I want to select a portion of them which contain 10.10.34.35 as a response.
First, DNS uses UDP and TCP.
Second, the wire representation of an A record is defined in RFC 1035 as such:
3.4.1. A RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| ADDRESS |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
ADDRESS A 32 bit Internet address.
So an IPv4 address is not encoded as a string as you are attempting to match, but as a 32bits integer, so with the values 10, 10, 34, 35
