The dnsroot filter allows one to create iptables rules based on whether or not a DNS query contains a valid top level domain (TLD).
A public git repository is at https://github.com/ISI-ANT/dnsroot-xtables/
First public release. Based on xtables-addons 2.14.
dnsroot: An xtables module for filtering DNS queries based on validity of the top level domain (TLD)
iptables -m udp -p udp --dport 53 -m dnsroot [--debug] [!] --tld -j ACTION
The dnsroot xtables filter processes DNS queries, examining the domain name being queried and checking the last component of the domain name (the top level domain, or TLD) against a list of valid TLDs.
By default the rule will match if the TLD in the packet is a valid TLD. The test can be negated by prefixing it with ‘!’, in which case the rule will match invalid TLDs. e.g.
iptables -m udp -p udp --dport 53 -m dnsroot ! -tld -j DROP
no support for TCP queries yet.
The list of valid TLDs is hardcoded. In the future and option will be provided to load the list from a local file
The dnsroot filter proof of concept was written by Wes Hardaker. Further development was done by Robert Story.
Copyright (C) 2019-2020 the University of Southern California.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along ith this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
The dnsroot-xtables filter is useful for accellerating traffic processing at a root server, so it may be useful to reduce load during a DDoS attack. Since it loads a static list of root TLDs into the kernel, it’s not suitable for everyday use.