On Mon, 2 Aug 2021 01:39:24 -0400 Tom <tom@xxxxxxxxxxx> wrote: > On 2021-07-27 2:09 a.m., Kerin Millar wrote: > > Let us begin with `tcpdump -n -s0 -X udp port 53`. Here is the payload > > of an offending query, including the encapsulating IPv4 header. > > > 0x0000: 4528 003a bb51 0000 f211 3319 4bad 43f9 E(.:.Q....3.K.C. > > 0x0010: c422 8657 0035 0035 0026 0000 0001 0100 .".W.5.5.&...... > > 0x0020: 0001 0000 0000 0000 0870 697a 7a61 7365 .........pizzase > > 0x0030: 6f03 636f 6d00 002e 0001 o.com.... > Thanks a lot for your very informative reply. Sorry for the delay in > responding. With your help I got it to work. Thanks very much! For the record, this is the rule that I ended up using:- udp dport 53 @th,96,32 0x00010000 @th,160,112 0x0870697a7a6173656f03636f6d00 counter drop The first expression tests that the DNS packet is a query, rather than a response, whereas the second expression is rendered proper by including the terminating null byte. -- Kerin Millar
