I want to filter malicious inbound DNS traffic, specifically DNS requests with invalid opcodes. Is anyone out there doing this? Interested in your methodology. I started experimenting with u32 but I'm not sure I'm on the right track, maybe there is a better way? iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x2a=0x35313020" -j logdrop -m comment --comment "dropping non-query opcode packets" I've been using packet captures to try and identify what I should be blocking but I don't have this pinned down correctly. The relative position of the opcode is moving? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
