iptables: can't drop incoming DNS responses containing a specific IP address

Masood Lapeh

10/25/23, 2:28 AM

I want to drop incoming DNS responses that contain 10.10.34.35. How can I do that?

I tried to it this way:

iptables -I INPUT -m udp -p udp --sport 53 -m string --algo kmp --hex-string '|31 30 02 31 30 02 33 34 02 33 35|' -j DROP

But it simply doesn't drop them and I still receive them. However simply doing iptables -I INPUT -m udp -p udp --sport 53 -j DROP blocks all of them coming from port 53, but I want to select a portion of them which contain 10.10.34.35 as a response.

1 + 0

domain-name-system

iptables

udp

pattern-matching

hexidecimal

Score:4

Server

Patrick Mevzek

10/25/23, 5:00 AM

First, DNS uses UDP and TCP.

Second, the wire representation of an A record is defined in RFC 1035 as such:

3.4.1. A RDATA format

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                    ADDRESS                    |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where:

ADDRESS         A 32 bit Internet address.

So an IPv4 address is not encoded as a string as you are attempting to match, but as a 32bits integer, so with the values 10, 10, 34, 35

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: iptables: can't drop incoming DNS responses containing a specific IP address

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.