How to block only MX query made to DNS server
pgr_80 at yahoo.com
Tue Nov 30 09:53:24 CET 2004
First of all Thanks for your prompt response. :)
I tried to run following command
# iptables -t filter -A INPUT -p udp --dport 53 -m
string --string "MX" -j DROP
But I am getting Error like
iptables v1.2.8: Couldn't load match
`string':/lib/iptables/libipt_string.so: cannot open
shared object file: No such file or directory
:-( Do I need to upgrade my iptables RPM
--- hclfm at pricol.co.in wrote:
In your Linux gateway.
iptables -A INPUT -p udp --dport 53 -m string --string
"MX" -j DROP
"Vision is the art of seeing things invisible."
pravin rane <pgr_80 at yahoo.com>
Sent by: netfilter-bounces at lists.netfilter.org
11/29/2004 11:26 PM PST
To: Hudson Delbert J Contr 61 CS/SCBN
<Delbert.Hudson at LOSANGELES.AF.MIL>, Daniel Chemko
<dchemko at smgtec.com>, netfilter at lists.netfilter.org
Subject: RE: How to block only MX query made to DNS
We are in to the Linux Solution provider.
One of our client has taken SILVER PLAN from XXX ISP
According to this plan the client can only use ports
TCP, UDP. 53,25,110,143,80,81 and ports above 1024 for
Here client can only make normal DNS queries. MX type
of queries get response like "name server can not be
We have installed an Internal Mail-server (Sendmail).
Since ISP have blocked MX query to any DNS server
Out-side sendmail is not able to send mails out-side.
I know I can tell sendmail not to use DNS. But before
implementing this new setup at client I want to test
it in my LABS. I want to create the same scenario as
that ISP have done.
Seeking Urgent help form Netfilter Experts.
--- Hudson Delbert J Contr 61 CS/SCBN
<Delbert.Hudson at LOSANGELES.AF.MIL> wrote:
> i know a way to do this but i need to know who it
> is that you are
> trying to block from doing mx resolution?
> mx queries to the dns system.
> this is a staple of bind.
> internal users need this from your internal
> external clients needs to have the mail handler
> to point at the secure mail address.
> need more info on who you are filtering, the query
> type (mx)
> is self is needed.
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org]On
> Behalf Of pravin rane
> Sent: Saturday, November 27, 2004 8:18 PM
> To: Daniel Chemko; netfilter at lists.netfilter.org
> Subject: RE: How to block only MX query made to DNS
> That is right but only when all clients are using my
> DNS server. I will not be able to block MX requests
> they are using some other DNS servers which are
> out-side of my network and I can not force my
> to use only my DNS server.
> Using iptables I can build a rule for certain ICMP
> TYPE Packets. Is there any rule which can match DNS
> query TYPE?
> Pravin Rane.
> --- Daniel Chemko <dchemko at smgtec.com> wrote:
> > pravin rane wrote:
> > > Hi all,
> > >
> > > I want to block DNS MX query made through my
> > network.
> > > What iptables rule I should use.
> > You don't use iptables to do this. named has built
> > in ACL's to determine
> > who can perform what oeprations. Look at bind
> > 'view's for more
> > information on how to properly deal with name
> > resolution issues.
> .------._ ;
> .-"""`-.<') `-._ .'
> (.--. _ `._ `'---.__.-' Fly High
> Till You Reach
> ` `;'-.-' '- ._ The
> .--'`` '._ - ' .
> `""'-. `---' ,
> ''--..__ `\ Warm
> ``''---'`\ .'
> `'. '
> Pravin Rane.
> Do you Yahoo!?
> Yahoo! Mail - You care about security. So do we.
> ATTACHMENT part 2 application/ms-tnef
.-"""`-.<') `-._ .'
(.--. _ `._ `'---.__.-' Fly High Till
` `;'-.-' '- ._ The
.--'`` '._ - ' .
`""'-. `---' ,
''--..__ `\ Warm
`'. ' Pravin
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
More information about the netfilter