Fighting DNS flood with Shorewall


One of my server had the whole syslog full of lines like this:

And it was happening for a long time. It wasn’t a big deal because the request is denied anyway until I had to do some serious modification on this server and discovered that syslog was nearly unusable, thanks to this amazing flood:

It seems to be impossible to have fine-grained logging with bind9, so I decided to try something else: let’s use shorewall (iptables frontend) to drop all pattern matching “” (all requests are against this specific domain).

Let’s give iptables a try:

Yeah! Syslog stopped complaining. However, I’m not really happy with solution:

  • TCP is not handled as well
  • IPV6 isn’t either
  • It matches x99moyu instead of
  • It’s not integrated into the system
  • It’s not self-documenting

Let’s try to figure out how to match the whole domain first:

Won’t work. In fact, the DNS request in constructed a different way:

If you look at the contents of the DNS request packet in wireshark or similar you will find that the dot character is not used. Each part of the domain name is a counted string, so the actual bytes of the request for will be:

06 67 6f 6f 67 6c 65 03 63 6f 6d
The first byte (06) is the length of google, followed by the 6 ASCII characters, then a count byte (03) for the length of com followed by… you get the idea.

Yep, I got it. We’ll also need to do a “hex” match instead of a simple string:

Here we go, here’s the proper iptable line to use, now we can integrate it into our /etc/shorewall/rules and /etc/shorewall6/rules above the “DNS/ACCEPT” line.

# With logging (x99moy is a "tag" displayed in the log lines, limited to 6 chars)
#DNS/DROP:info:x99moy loc fw ; -m string --algo bm --hex-string "|07|x99moyu|03|net"
# Without logging
DNS/DROP loc fw ; -m string --algo bm --hex-string "|07|x99moyu|03|net"


Leave a Reply

Your email address will not be published. Required fields are marked *