Skip to content
mimuret edited this page Feb 22, 2016 · 6 revisions

build & install

##CentOS 6

sudo yum install gcc make automake libtool \
iptables-devel kernel-headers-`uname -r` kernel-devel-`uname -r`

git clone -b kernel2.6 https://github.com/mimuret/iptables-ext-dns.git
cd iptables-ext-dns

./autogen.sh
./configure --libdir=/lib64
make
sudo make install

##CentOS 7

sudo yum install gcc make automake libtool \
iptables-devel kernel-headers-`uname -r` kernel-devel-`uname -r`

git clone https://github.com/mimuret/iptables-ext-dns.git
cd iptables-ext-dns

./autogen.sh
./configure --libdir=/lib64
make
sudo make install

##ubuntu-14.04.4

sudo apt-get install gcc \
make \
automake \
autoconf \
libtool \
linux-headers-$(uname -r) \
iptables-dev

git clone https://github.com/mimuret/iptables-ext-dns.git
cd iptables-ext-dns
./autogen.sh
./configure --libdir=/lib
make
sudo make install

test

libxt_dns.so (iptables ui module)

$ iptables -m dns --help
~
~
~
dns match options:
[!] --qr match when response
[!] --opcode match
      (Flags QUERY,IQUERY,STATUS,NOTIFY,UPDATE)
[!] --aa match when Authoritative Answer
[!] --tc match when Truncated Response
[!] --rd match when Recursion Desired
[!] --ra match when Recursion Available
[!] --ad match when Authentic Data
[!] --cd match when checking Disabled
[!] --qname
[!] --qtype
      (Flags ex. A,AAAA,MX,NS,TXT,SOA... )
	see. http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
[!] --reverse-match --rmatch reverse matching flag
[!] --maxsize qname max size

$ sudo iptables -A DNSCHECK -m dns -j ACCEPT
$ sudo iptables --list -n -v
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           dns
``

## xt_dns.so (kernel module)

$ modinfo xt_dns filename: /lib/modules/3.10.0-327.el7.x86_64/kernel/net/netfilter/xt_dns.ko alias: ip6t_dns alias: ipt_dns license: GPL description: Xtables: DNS matching author: Manabu Sonoda mimuret@gmail.com rhelversion: 7.2 srcversion: 5432DE32DC7DD56416CF8BE depends: vermagic: 3.10.0-327.el7.x86_64 SMP mod_unload modversions


$ sudo cat /proc/net/ip6_tables_matches | grep dns dns $ sudo cat /proc/net/ip6_tables_matches | grep dns dns


## matching test
dig @serverip localhost
$ sudo iptables --list -n -v
    1    66 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           dns
Clone this wiki locally