James B. Byrne
2015-Oct-05 13:46 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
This is the same origin that I reported on earlier. Apparently asking for an explanation of why they were probing our sites only encouraged them to make additional attempts. sshd: Authentication Failures: unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s) unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s) unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s) root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s) root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s) root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s) root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s) root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s) root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s) unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s) unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s) unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s) unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s) unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s) unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s) Invalid Users: Unknown Account: 12 Time(s) So, is there any convenient way to construct an IPTables rule to block all IPs associated with a given Domain Name server? dig -x 173.201.178.18 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 173.201.178.18 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;18.178.201.173.in-addr.arpa. IN PTR ;; ANSWER SECTION: 18.178.201.173.in-addr.arpa. 3600 IN PTR ip-173-201-178-18.ip.secureserver.net. ;; AUTHORITY SECTION: 201.173.in-addr.arpa. 66199 IN NS cns2.secureserver.net. 201.173.in-addr.arpa. 66199 IN NS cns1.secureserver.net. ;; ADDITIONAL SECTION: cns2.secureserver.net. 172800 IN A 216.69.185.100 cns2.secureserver.net. 172800 IN AAAA 2607:f208:303::64 cns1.secureserver.net. 172800 IN A 208.109.255.100 cns1.secureserver.net. 172800 IN AAAA 2607:f208:207::64 Like say, cns{1,2}.secureserver.net. Or an entire domain? Say secureserver.net. ? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Kenneth Porter
2015-Oct-06 07:22 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne" <byrnejb at harte-lyne.ca> wrote:> So, is there any convenient way to construct an IPTables rule to block > all IPs associated with a given Domain Name server?Doing DNS queries within the kernel netfilter path would be bad. You could run a cron job to update an iptables chain periodically with the results of a dig query. Some Perl could be used to do the query and generate the iptables commands.
Kahlil Hodgson
2015-Oct-06 11:25 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
On 6 October 2015 at 00:46, James B. Byrne <byrnejb at harte-lyne.ca> wrote:> So, is there any convenient way to construct an IPTables rule to block > all IPs associated with a given Domain Name server? >?You can use ipsets to block a large collection of IP addresses with netfilter. I block various problematic countries that way. The problem is getting _all_ the IP addresses associated with a DNS server. I don't think that is going to be easy/possible, unless that DNS sever has been badly misconfigured. ?K?
Leon Fauster
2015-Oct-06 13:34 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne" <byrnejb at harte-lyne.ca> wrote:> So, is there any convenient way to construct an IPTables rule to block > all IPs associated with a given Domain Name server?IPs have the reversed lookup "assosiated" with a NS. What do you mean with "associated"? Do mean all IPs that this DNS server resolves to (A-Records in zone) (how do know for what zone the NS gives authoritative answers)? Or just the domain name server IPs of a given domain name (NS records)? What are you trying to solve? -- LF
Apparently Analagous Threads
- [Fwd: Re: Can one construct an IPTables rule to block on NS records?]
- Can one construct an IPTables rule to block on NS records?
- Can one construct an IPTables rule to block on NS records?
- Can one construct an IPTables rule to block on NS records?
- How to delete an unwanted NS record