0

I added the following ip6tables rules, the rules allow to block all DNS IPv6 requests containing the sting youtube.com

ip6tables -A FORWARD -p udp --dport 53 -m string --domain youtube.com --algo bm -j DROP
ip6tables -A INPUT -p udp --dport 53 -m string --domain youtube.com --algo bm -j DROP
ip6tables -A OUTPUT -p udp --dport 53 -m string --domain youtube.com --algo bm -j DROP

I checked with ip6tables -L command and I can see the rules added

I tried to ping youtube.com and then I can see the name is resoved and I got ip6 of youtube.com.

I checked the traffic with wireshark and I can see the ip6 request of dns is sent to the dns server and I got ip6 dns response. So the ip6 rules are not taking account.

What I m missing in my rules?

Mohamed KALLEL
  • 359
  • 2
  • 7
  • 22
  • 1
    Are you sure name resolution is made via IPv6 nameserver? If not, these rules will not help, try plain old IPv4 / iptables. – Tomek Sep 13 '19 at 07:05
  • @Tomek yes the name server resolution are made with ipv6. And I checked it with traffic capture wireshark – Mohamed KALLEL Sep 13 '19 at 09:06
  • 1
    My `iptables-extensions` man page doesn't describe `--domain` option but `--string` option for `string` helper. Could this be an issue here? Additionally `FORWARD` and `INPUT` chains should filter on source port, not destination, resolvers usually use port > 1024. Please also note that DNS may also use TCP. You should see in packet trace which protocol was used. – Tomek Sep 13 '19 at 11:51
  • @Tomek source and destination port does not matter since I m looking to fileter what ever dns request or dns response. And Ichecked the traffic and it is UDP. – Mohamed KALLEL Sep 13 '19 at 16:21

0 Answers0