dnsroot: An xtables module for filtering DNS queries based on validity of TLD


The dnsroot filter allows one to create iptables rules based on whether or not a DNS query contains a valid top level domain (TLD).

A public git repository is at https://github.com/ISI-ANT/dnsroot-xtables/


% dnsroot-xtables(1) % Wes Hardaker hardaker@isi.edu, Robert Story rstory@isi.edu % May 25, 2020


dnsroot: An xtables module for filtering DNS queries based on validity of the top level domain (TLD)


iptables -m udp -p udp --dport 53 -m dnsroot [--debug] [!] --tld -j ACTION


The dnsroot xtables filter processes DNS queries, examining the domain name being queried and checking the last component of the domain name (the top level domain, or TLD) against a list of valid TLDs.

By default the rule will match if the TLD in the packet is a valid TLD. The test can be negated by prefixing it with ‘!’, in which case the rule will match invalid TLDs. e.g.

iptables -m udp -p udp --dport 53 -m dnsroot ! -tld -j DROP


--tld OPTION
Test for a valid TLD. Testing for an invalid TLD can be done by specifying ‘!’ before the option.
--debug OPTION
Enable debugging output to kernel log. May be specified multiple times for increased levels of logging.


  • 2.14.0-dns (2020-05-25) First release. Based on xtables-addons 2.14.


  • no support for TCP queries yet.

  • The list of valid TLDs is hardcoded. In the future and option will be provided to load the list from a local file


The dnsroot filter proof of concept was written by Wes Hardaker. Further development was done by Robert Story.


Copyright (C) 2019-2020 the University of Southern California.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along ith this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.


The dnsroot-xtables filter is useful for accellerating traffic processing at a root server, so it may be useful to reduce load during a DDoS attack. Since it loads a static list of root TLDs into the kernel, it’s not suitable for everyday use.