On 11/09/15 16:45, sven falempin wrote:
> For the first time ever i did something with iptable
> that i dont know how to do (simply) with
> pf.
> Something i think it is usefull.
>
> I have a domain server, nsd, it serves whatever.com,
Authoritative server, then.
> the server is like flooded with request for no reason,
Welcome to the Internet. It happens.
> with iptables i was able to add
> <-m string --hex-string whatever|03|com>
> in the <in> rules.
>
> So i only accept DNS request that matters to me.
>
> Is there a way ? (something simpler than diverting to a
> sort of grep -v ).
I'd call that a wrong way to do it, definitely.
If your name server is configured properly, it should be ignoring domain
requests it isn't authoritative for. Not a problem. If you are running
a resolver, it should be resolving only for the IP addresses you manage
(here PF can help you, but the resolver can deal with that, too).
> Would it be a cool feature ? or because it s a protocol shall
> it be done inside relayd ?
No. String and pattern matching in the kernel is not a really good
plan. And if you are doing it in an application outside of the kernel,
why not just do it in NSD and be done with it?
Nor is this solving a problem. Let NSD do its job correctly, and it
will just ignore those queries. DNS queries are really small, and
authoritative servers put very little load on the processor. The query
is going to get received, looked at, and either responded to or
dropped...adding extra layers here to change who receives and processes
the query isn't helping anything. In fact -- assuming NSD is fairly
efficient (I think it is), what I propose is this:
Packet comes in (kernel)
Packet is compared against domains served (NSD)
Response or drop (NSD)
What you propose is this:
Packet comes in (kernel)
packet is compared against domains served (filter)
drop ... OR ->
packet is compared against domains served (AGAIN!) (NSD)
response (NSD)
I don't think you win anything here by duplicating a step.
OR if you want to be nasty, set up a full resolver that returns the IP
of some really nasty, rude or inappropriate site for ALL queries except
the ones that should be answering for. (actually, I don't recommend
doing this, but it made me grin to think about it. "Why do I keep
ending up on the My Little Pony website??"). Again, just because you
CAN do something doesn't make it a good idea.
Nick.
