Netfilter extension to match various DNS atributes

by Stanislav Petr, 2015

based on work of Ondřej Caletka, 2013

This work is based on the original xt_dns netfilter extension, written by Bartłomiej Korupczyński http://software.klolik.org/xt_dns/

This fork addes availability to match queries, or responses, to match query type (eg. ANY) in queries or even in responses and also to match packet with EDNS0 pseudo-RR and with specific bufsize range. The matching algorithm is fully RFC 1035 compliant.

Only non-fragmented UDP packets are supported, both IPv4 and IPv6.

Install

Red Hat/CentOS:

yum install kernel-headers iptables-devel dkms
wget https://github.com/spetr/xt_dns/archive/v2.0.2.tar.gz -O xt_dns-2.0.2.tar.gz
tar -xzf xt_dns-2.0.2.tar.gz
cd xt_dns-2.0.2
make dkms

Debian/Ubuntu:

apt-get install linux-headers-$(uname -r) iptables-dev dkms
wget https://github.com/spetr/xt_dns/archive/v2.0.2.tar.gz -O xt_dns-2.0.2.tar.gz
tar -xzf xt_dns-2.0.2.tar.gz
cd xt_dns-2.0.2
make dkms

Usage

See iptables -m dns --help:

dns match options:
[!] --dns-query            match DNS query
[!] --dns-response         match DNS response
[!] --dns-query-type       {A|NS|CNAME|SOA|WKS|PTR|MX|TXT|AAAA|SRV|NAPTR|IXFR|AXFR|ANY|0-255}
                           match specific query type
[!] --dns-edns0            match packets with EDNS0 field
[!] --dns-zone zone-name   match request only to name under zone-name
    --dns-bufsize value[:value] match EDNS0 buffer size

Example usage

Classifying ANY-type DNS queries (massively abused for DNS Amplification attacks) and applying a very strict request rate limit:

# iptables -A INPUT -p udp --dport 53 \
 -m dns --dns-query --dns-query-type ANY \
 -m hashlimit --hashlimit-above 10/min --hashlimit-burst 3 \
    --hashlimit-mode srcip --hashlimit-name DNS-ANY \
 -j DROP

Allow only DNS queries to be forwarded from client subnet and only DNS responses to client subnet on DNS ports:

# iptables -A FORWARD -s 192.168.0.0/24 -p udp --sport 1024: --dport 53 \
 -m dns --dns-query -j ACCEPT
# iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 53 -j DROP
# iptables -A FORWARD -d 192.168.0.0/24 -p udp --sport 53 --dport 1024: \
 -m dns --dns-response -j ACCEPT
# iptables -A FORWARD -d 192.168.0.0/24 -p udp --sport 53 -j DROP

Drop AXFR queries (opcode 0, query type 252) send over UDP - used by some DDoS attacks (AXFR sessions over UDP transport are not defined - RFC5936):

iptables -A INPUT -p udp --dport 53 -m dns --dns-query --dns-query-type AXFR -j DROP

inste / xt_dns Goto Github PK

xt_dns's Introduction

Netfilter extension to match various DNS atributes

Install

Usage

Example usage

xt_dns's People

Contributors

Watchers

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent