CentOS - Oct 2015 - Can one construct an IPTables rule to block on NS records?

This is the same origin that I reported on earlier.  Apparently asking
for an explanation of why they were probing our sites only encouraged
them to make additional attempts.

 sshd:
    Authentication Failures:
       unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s)
       root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
       unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
    Invalid Users:
       Unknown Account: 12 Time(s)

So, is there any convenient way to construct an IPTables rule to block
all IPs associated with a given Domain Name server?


dig -x 173.201.178.18

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>>
-x 173.201.178.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;18.178.201.173.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
18.178.201.173.in-addr.arpa. 3600
IN	PTR	ip-173-201-178-18.ip.secureserver.net.

;; AUTHORITY SECTION:
201.173.in-addr.arpa.	66199	IN	NS	cns2.secureserver.net.
201.173.in-addr.arpa.	66199	IN	NS	cns1.secureserver.net.

;; ADDITIONAL SECTION:
cns2.secureserver.net.	172800	IN	A	216.69.185.100
cns2.secureserver.net.	172800	IN	AAAA	2607:f208:303::64
cns1.secureserver.net.	172800	IN	A	208.109.255.100
cns1.secureserver.net.	172800	IN	AAAA	2607:f208:207::64


Like say, cns{1,2}.secureserver.net.  Or an entire domain? Say
secureserver.net. ?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne" 
<byrnejb at harte-lyne.ca> wrote:
> So, is there any convenient way to construct an IPTables rule to block
> all IPs associated with a given Domain Name server?
Doing DNS queries within the kernel netfilter path would be bad.

You could run a cron job to update an iptables chain periodically with the 
results of a dig query. Some Perl could be used to do the query and 
generate the iptables commands.

On 6 October 2015 at 00:46, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> So, is there any convenient way to construct an IPTables rule to block
> all IPs associated with a given Domain Name server?
>
?You can use ipsets to block a large collection of IP addresses with
netfilter.  I block various problematic countries that way.

The problem is getting _all_ the IP addresses associated with a DNS
server.  I don't think that is going to be easy/possible, unless that DNS
sever has been badly misconfigured.



?K?

--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"
<byrnejb at harte-lyne.ca> wrote:
> So, is there any convenient way to construct an IPTables rule to block
> all IPs associated with a given Domain Name server?

IPs have the reversed lookup "assosiated" with a NS.

What do you mean with "associated"?
 
Do mean all IPs that this DNS server resolves to 
(A-Records in zone) (how do know for what zone 
the NS gives authoritative answers)?

Or just the domain name server IPs of a given 
domain name (NS records)?

What are you trying to solve? 

--
LF