Signature for DNS ANY queries?

[wolfbeast]

Hi folks, my first post here but getting straight down to business with a very specific question:

I'm trying to set up Untangle for one very specific purpose: to block DNS ANY queries from the internet that are running rampant for amplification attacks. BIND doesn't have a control mechanism for this, neither do any of the other firewall solutions that I found because it needs packet content filtering. Untangle seems to cater to that to a tee, but... I can't wrap my brain around RegExs.

The DNS entry in Application Control Lite could probably be adapted to do this, but I need some help with the signature.
DNS ANY is query type 0xFF. What do I need to do to the DNS RegEx signature to only match this query type?

[dmorris]

Hi,

here is a howto for writing regex signatures: http://l7-filter.sourceforge.net/Pattern-HOWTO

\xff will match 0xff, but you'll need way more than that or else it will match almost every packet.

[wolfbeast]

Yes, well, I had a look at the "DNS" entry in Untangle, but it is very complex and I have no idea how to read it. It goes way over my head what's done there, and what I tried didn't work.

As it is, the entry there doesn't catch "DNS ANY" requests, so it would be a rule that would work if I could set it up to "only allow this", but Application Control Lite only knows how to "block", so it doesn't help me.

The RegEx there is:

Code:

^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\x01-\x10\x1c][\x01\x03\x04\xFF]

which blocks normal queries like A, etc, but not ANY

I tried changing it to this (which I think should work, considering the structure of a DNS record) but that was no dice, and would just let it all through:

Code:

^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06][a-z][a-z][fglmoprstuvz]?[aeop]?(um)?[\xFF][\x01\x03\x04\xFF]

So, I'm doing something wrong and a little help is appreciated.

[wolfbeast]

I checked a bit more and it seems application control lite doesn't work as expected on a simple match, unless I'm completely misunderstanding how it is supposed to work.
The DNS query has a portion I'm matching:
example{x03}com{x00}{x00}{xFF}{x00}{x01}
So I created a signature specific for example.com:
example\x03com\xFF\x01 (stripping 00 since that's what L7 does)
When I send a query for a different domain, it passes.
When I send an ANY query for example.com, it's blocked, BUT
When I send an A query for example.com, it's ALSO blocked (and that has no {xFF} in it, but an {x01} in its stead...) so.. \xFF is ignored?

[wolfbeast]

Well, lacking a working solution in untangle (since it seems to be broken on the L7 regex - I could not get it to work since it would either block everything or block nothing and distinction on query type simply didn't take), I stopped using it and wrote a filtering DNS proxy in python with some help, using dnslib. I lost some features I could use in DNS because of it (since the DNS server can no longer see the originating IP), but the requests were really getting out of hand.