Shulou(Shulou.com)06/01 Report--

Now there is a need to prohibit the host from querying the DNS of a domain name. To use the string module of iptables, use the following command:

Iptables-D OUTPUT-m string-string "www.baidu.com"-algo bm-jDROP

However, using the above command does not filter queries against www.baidu.com. According to the documentation in the reference link, www.baidu.com is encoded in the DNS query as follows:

03www05baidu03com

When coding, the domain name is divided into substrings (www,baidu and com) "." Will not be encoded, each substring is preceded by the length of the string. The following is the capture package for the DNS query:

The string www.baidu.com is encoded in hexadecimal:

03 77 77 77 05 62 61 69 64 75 03 63 6f 6d

77 is the ascii code of w, and the other characters can also be queried against ascii. The 03 before 77 77 77 is the length of the three strings www.

According to the reference link, you can use the hexadecimal string of iptables's string module to filter

Iptables-An OUTPUT-p udp-- dport 53-m string-- hex-string "| 03 | www | 05 | baidu | 03 | com |"-algo bm-j DROP

Iptables automatically sets

| | 03 | www | 05 | baidu | 03 | com |

Convert to hexadecimal.

Reference link:

Https://linuxsecurity101.com/2018/11/18/tips-and-tricks-blocking-dns-requests-via-iptables/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.