I can't look at the code now but perhaps only allow udp and not tcp from untrusted hosts? I think tcp is only used for really large transfers, which a non malicious user wouldn't need. The only exception I can think if is for a zone transfer between aurhirativw servers.
Brian On Jul 10, 2012 12:38 PM, "Peter J. Philipp" <p...@centroid.eu> wrote: > Hi, > > I have built some skeleton code (it's ugly) for a proxy for dns based on > my wildcarddnsd. I'm using divert(4) sockets but whenever I put the pf > rules on the reinjection doesn't work for me. Here is my pf rules: > > # pfctl -srules > pass all flags S/SA > block drop in on ! lo0 proto tcp from any to any port 6000:6010 > block drop in on re0 inet from <fuckoff> to any > pass in on re0 inet proto udp from any to any port = 53 scrub (reassemble > tcp) divert-packet port 9999 > > and here is the skeleton code: > > http://ipv4.goldflipper.net/private/dnsdivert.tgz > > I did this rather fast hoping to get it in for someone I know who is being > used for a DNS amplifier attack but the final tests broke the hope of > stopping it with this. > > The way you use that is run the program in the foreground and it should > print for what dns name a query is. But when I run it the reinject does > not happen and dig for example will stop in its tracks and not deliver an > answer from named. > > Any small hint would be appreciated, > > -peter
