MESSAGE
| DATE | 2021-08-21 |
| FROM | Rick Moen
|
| SUBJECT | Re: [Hangout - NYLXS] [artix-general] iptables blocking dns queries
|
Quoting Ruben Safir (ruben-at-mrbrklyn.com):
> On Fri, Aug 20, 2021 at 04:42:05AM +0000, Qontinuum wrote:
> > On Thu, Aug 19, 2021 at 10:42:42PM -0400, Ruben Safir wrote:
> > > anyone know a solution to this that works
> > >
> > > /sbin/iptables -I INPUT -p udp --dport 53 -m string –hex-string
> > > '|03|www|08|pizzaseo|03|com|' –algo bm -j DROP
> > > iptables v1.8.7 (legacy): unknown option "--dport"
> > > Try `iptables -h' or 'iptables --help' for more information.
> > >
> > > No docs I read dislike -dport or --dport
> > >
> > > the objective here is to drop remote inquiries for pizzaseo.com which
> > > seems to be an attach
> >
> > The solution is to use the iptables-legacy binary instead of the iptables one.
> >
> > I would like to encourage you to use nftables instead of iptables
> > which is deprecated for years now and you will gain benefit in
> > performance and ease of maintenance.
> >
>
> It does the same thing with legacy. I tried that before posting.
>
> nft doesn't have a string matching capacity.
>
>
> > Also, since it is an input rule I guess that you are hosting a DNS on
> > this machine. Isn't your DNS capable of using Response Policy Zones or
> > even rules hard-coded in your configuration?
>
> That would be ideal. I am using bind9 and I have in the config
>
> options {
> directory "/usr/local/namedb/";
> version "BMT - Brighton Line";
> pid-file "/run/named.pid";
> allow-query { any; };
> allow-recursion {"localnets";};
> // ban everyone by default
> allow-transfer {"none";};
> };
>
> I thought that left recursions to only my local network and would block
> foriegn external inquiries. Evidently it doesn't stop this exploit.
Being not clear on what "exploit" you're trying to block, I'll note that
I have:
options {
[snip]
version "Shirley, you're joking";
hostname "ns1.linuxmafia.com";
[snip]
allow-recursion {
127.0.0.0/8;
192.168.0.0/24;
10.0.0.0/8;
96.95.217.102/32;
96.95.217.96/29;
};
allow-query {
127.0.0.0/8;
192.168.0.0/24;
10.0.0.0/8;
96.95.217.102/32;
96.95.217.96/29;
};
[snip]
//For Rick Moen
zone "linuxmafia.com" {
type master;
file "/etc/bind/linuxmafia.com.zone";
allow-query { any; };
allow-transfer {
//Drew Bertola or ,
//[redacted tel. #]
//ns6.linuxmafia.com aka ns1.thecoop.net is:
209.205.200.166;
//Aaron T. Porter , [redacted tel. #]
//http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=atporter
//ns.primate.net is:
198.144.194.12;
//Aaron T. Porter , [redacted tel. #]
//http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=atporter
//ns.tx.primate.net is:
72.249.38.88;
//David Wolfskill , [redacted tel. #]
//ns3.linuxmafia.com aka ns.catwhisker.org is:
107.204.234.170;
[...]
Please note allow-query and allow-recursion ACLs. I'm really not
sure where you wish to block _all_ queries, and where you wish to
block _recursive_ queries. Above meets my use-case's needs,
Full prototype /etc/bind files (in Debian/Devuan garb) can be found at
http://linuxmafia.com/pub/linux/network/bind9-examples-linuxmafia.tar.gz
, in case you want to see a complete working example.
For a more-thorough and professional set of BIND9 prototyping
suggestions, please see the Zytrax book "DNS for Rocket Scientists",
http://zytrax.com/books/dns/ .
--
Cheers, Grammarian's bar joke #26: A gerund and an
Rick Moen infinitive walk into a bar, drinking to forget.
rick-at-linuxmafia.com
McQ! (4x80)
--
artix-general mailing list
artix-general-at-artixlinux.org
https://lists.artixlinux.org/listinfo/artix-general
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
