-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathREADME
41 lines (30 loc) · 1.29 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Netfilter extension to match various DNS atributes
==================================================
by Ondřej Caletka, 2013
This work is based on the original xt_dns netfilter
extension, written by Bartłomiej Korupczyński
http://software.klolik.org/xt_dns/
This fork addes availability to match queries, or
responses, to match query type (eg. ANY) in queries
or even in responses and also to match packet with
EDNS0 pseudo-RR and with specific bufsize range.
The matching algorithm is fully RFC 1035 compliant.
Only non-fragmented UDP packets are supported, both
IPv4 and IPv6.
Usage
-----
See `iptables -m dns --help`:
```
dns match options:
[!] --dns-query match DNS query
[!] --dns-response match DNS response
[!] --query-type {A|NS|CNAME|SOA|PTR|MX|TXT|AAAA|SRV|A6|ANY|0-255}
match specific query type
[!] --edns0 match packets with EDNS0 field
--bufsize value[:value] match EDNS0 buffer size
```
Example usage
-------------
Classifying ANY-type DNS queries (massively abused for DNS Amplification attacks)
and applying a very strict request rate limit:
```# iptables -A INPUT -p udp --dport 53 -m dns --dns-query --query-type ANY -m hashlimit --hashlimit-above 10/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name DNS-ANY -j DROP ```