After running a name server for a while, you're going to get a knock at the door one day from the Internet Police because your DNS server is spewing up crap all over the interwebs.

So, to block those lookups from even hitting your bind name server, you can throw iptables in the mix and let it block queries to domains you don't host.

# iptables -A INPUT -i eth0 -p udp --dport 53 -m string --algo bm --hex-string "|07|hehehey|02|ru" -j DROP

So what that's doing is adding a rule to iptables that looks for the hex string that the request contains. The hex string contains the length of each block of characters and then the characters. So 7 characters in hehehey and 2 in ru. iptables will convert that to "|0768656865686579027275|" for you, which is great.

Here's the other two I had to block today to silence that name server's spewing traffic:

# iptables -A INPUT -i eth0 -p udp --dport 53 -m string --algo bm --hex-string "|04|cpsc|03|gov" -j DROP
# iptables -A INPUT -i eth0 -p udp --dport 53 -m string --algo bm --hex-string "|03|isc|03|org" -j DROP

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>