![[ANT logo]](../../images/logos/ant_logo_1_128px.png){kind=logo}
dnsroot: An xtables module for filtering DNS queries based on validity of TLD
dnsroot-xtables
The dnsroot filter allows one to create iptables rules based on whether or not a DNS query contains a valid top level domain (TLD).
A public git repository is at https://github.com/ISI-ANT/dnsroot-xtables/
-
dnsroot-xtables-2.14.0-dns.tar.gz
(2020-05-12); current release
First public release. Based on xtables-addons 2.14.
Documentation
% dnsroot-xtables(1) % Wes Hardaker hardaker@isi.edu, Robert Story rstory@isi.edu % May 25, 2020
NAME
dnsroot: An xtables module for filtering DNS queries based on validity of the top level domain (TLD)
SYNOPSIS
iptables -m udp -p udp --dport 53 -m dnsroot [--debug] [!] --tld -j ACTION
DESCRIPTION
The dnsroot xtables filter processes DNS queries, examining the domain name being queried and checking the last component of the domain name (the top level domain, or TLD) against a list of valid TLDs.
By default the rule will match if the TLD in the packet is a valid TLD. The test can be negated by prefixing it with ‘!’, in which case the rule will match invalid TLDs. e.g.
iptables -m udp -p udp --dport 53 -m dnsroot ! -tld -j DROP
OPTIONS
--tldOPTION- Test for a valid TLD. Testing for an invalid TLD can be done by specifying ‘!’ before the option.
--debugOPTION- Enable debugging output to kernel log. May be specified multiple times for increased levels of logging.
RELEASE HISTORY
- 2.14.0-dns (2020-05-25) First release. Based on xtables-addons 2.14.
KNOWN BUGS
-
no support for TCP queries yet.
-
The list of valid TLDs is hardcoded. In the future and option will be provided to load the list from a local file
AUTHOR AND THANKS
The dnsroot filter proof of concept was written by Wes Hardaker. Further development was done by Robert Story.
COPYRIGHT
Copyright (C) 2019-2020 the University of Southern California.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along ith this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
Context
The dnsroot-xtables filter is useful for accellerating traffic processing at a root server, so it may be useful to reduce load during a DDoS attack. Since it loads a static list of root TLDs into the kernel, it’s not suitable for everyday use.