xt_dns
xt_dns netfilter extension, part of software.klolik.org
[about]
[todo]
[bugs]
[downloads]
[example]
[faq]
About
xt_dns is netfilter extension that can be used to match DNS queries of specific type (A, MX, TXT, etc).
This allows to select some packet (UDP over IPv4 or IPv6) and take any action allowed by netfilter framework.
Extension does not select DNS packets by itself, so it's your job to limit it to port 53 on UDP.
Tested on Linux kernel 2.6.35.5.
[back to top]
TODO
See bugs.
[back to top]
Bugs
| Description |
Version | Status* | Temporary fix |
|---|
| Matching is "fast" and probably not RFC compliant, thus can have some false-positives and false-negatives |
* | pending | - |
| no support for other protocols than UDP |
* | pending | - |
| compilation errors on older kernels or older iptables |
0.1.0 | pending | uncomment #define HAVE_XT_MATCH_PARAM on .c files |
[back to top]
Downloads
Sources released under GNU License.
If you use this software, please send me an e-mail with comment. Thank you.
Latest version:
[2011.07.03] xt_dns-0.1.0.tar.gz
Older versions:
[back to top]
Example
Extension options:
# iptables -m dns -h
[...]
dns match options:
--dns-query {A|NS|CNAME|SOA|PTR|MX|TXT|AAAA|SRV|A6|ANY|0-255}
To count queries for MX records:
# iptables -A FORWARD -p udp --dport 53 -m dns --dns MX
To log and block forwarded queries for MX records:
# iptables -A FORWARD -p udp --dport 53 -m dns --dns MX -j LOG --log-prefix 'dns:' --log-ip-options --log-tcp-options
# iptables -A FORWARD -p udp --dport 53 -m dns --dns MX -j REJECT --reject-with adm-prohib
See also example in the Makefile, but be careful using it :)
[back to top]
FAQ
You need to match only on port 53 ;)
Additionally you must use extension only on UDP, otherwise iptables will complain:
# iptables -A dnsmx-test -m dns --dns MX
iptables: Protocol wrong type for socket.
# iptables -A dnsmx-test -p udp --dport 53 -m dns --dns MX
# iptables -L dnsmx-test
Chain dnsmx-test (0 references)
target prot opt source destination
udp -- anywhere anywhere udp dpt:domain dns-query:MX
Unfortunately dropping MX queries can have side effects: for example Unix-like host utility usually asks for A and MX records.
(c) 2005-2010 Bartłomiej Korupczyński
