On Fri, Aug 20, 2021 at 11:25:39AM -0400, Ruben Safir wrote:
> On Fri, Aug 20, 2021 at 04:42:05AM +0000, Qontinuum wrote:
> > On Thu, Aug 19, 2021 at 10:42:42PM -0400, Ruben Safir wrote:
> > > anyone know a solution to this that works
> > >
> > > /sbin/iptables -I INPUT -p udp --dport 53 -m string –hex-string
> > > '|03|www|08|pizzaseo|03|com|' –algo bm -j DROP
> > > iptables v1.8.7 (legacy): unknown option "--dport"
> > > Try `iptables -h' or 'iptables --help' for more information.
> > >
> > > No docs I read dislike -dport or --dport
> > >
> > > the objective here is to drop remote inquiries for pizzaseo.com which
> > > seems to be an attach
> >
> > The solution is to use the iptables-legacy binary instead of the iptables one.
> >
> > I would like to encourage you to use nftables instead of iptables
> > which is deprecated for years now and you will gain benefit in
> > performance and ease of maintenance.
> >
>
> It does the same thing with legacy. I tried that before posting.
I guess we don't have the same version of the iptables-legacy binary
then :/ (I don't have any error at least)
>
> nft doesn't have a string matching capacity.
It has raw payload expressions
>
>
> > Also, since it is an input rule I guess that you are hosting a DNS on
> > this machine. Isn't your DNS capable of using Response Policy Zones or
> > even rules hard-coded in your configuration?
>
> That would be ideal. I am using bind9 and I have in the config
>
> options {
> directory "/usr/local/namedb/";
> version "BMT - Brighton Line";
> pid-file "/run/named.pid";
> allow-query { any; };
> allow-recursion {"localnets";};
> // ban everyone by default
> allow-transfer {"none";};
> };
>
> I thought that left recursions to only my local network and would block
> foriegn external inquiries. Evidently it doesn't stop this exploit.
I don't know bind9 so I can't help. But here the problem seems to be
totally unrelated with any configuration, you have exposed your DNS to
the internet which is definitely not what you want if it is a private
service. Since i found the forum from which you copy-pasted the iptables
command, you could have watched for further information.
Is your DNS service on the machine that is also the gateway? If yes, you
should listen for queries only on the local port and not just managing
this with access policies and firewall rules
--
qontinuum
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.artixlinux.org/archives/artix-general/attachments/20210820/52e50ae9/attachment.sig>
More information about the artix-general
mailing list