This page describes how to deploy a DNS query-name filter using iptables. The DNS query-name filter drops packets with a given DNS query name, and are ideal when an attacker is attacking a particular domain.
Some attacks make queries with a fixed full query name or with a fixed suffix name:
www.FIXED-QUERY.com or RANDOM-STRING.FIXED-SUFFIX.com
Service operators can drop the queries with these fixed query parts, and
reply to other queries.
Query blacklisting is a precise filtering approach when all the queries carry a
few query names that are not commonly queried by the legitimate clients.
We see Query Blacklisting as a useful defense approach
as it shows high accuracy in dropping malicious traffic.
To filter out queries with a specific query name, we need to find out the common query name. We use a frequency-based comparison to find out the common query name. We keep track the frequencies of both full query names and suffix names. If a particular full query or suffix name is significantly more frequent than the other names, then we consider that as the common query name. We then use IPtable rule to filter that query name.
We use the string matching option of IPtable to filter out the queries with a fixed query name. After getting the common query name, we match from the 28th byte for UDP, and 54th byte for TCP to get a match for common query name. Matching from an offset helps us to reduce the search space.
sudo iptables -A INPUT -p udp -d $SERVER_ADDRESS --dport 53 -m string --from 28 --hex-string '|06|RANDOM|03|com|00|' --algo bm -j DROP
sudo iptables -A INPUT -p udp -d $SERVER_ADDRESS --dport 53 -m string --from 52 --hex-string '|06|RANDOM|03|com|00|' --algo bm -j DROP
Here, -d and –dport ensures to match the incoming traffic only. In the query name, 06 (in hex) indicates the length of RANDOM, and we do it for every segment of the query separated by a dot. The last 00 indicates there is no string after the last dot.
For related publications, please see the ANT publications web page.