Thanks Gregor!! that was exactly what I was looking for.
have a nice weekend
---------------------------
You want to deploy RRL.
iptables is not the right location for doing this kind of stuff as you will have false positives.
Please see http://www.redbarn.org/dns/ratelimits
I agree that iptables might not be the perfect solution for that, however, as we have also been confronted with that problem some months ago with a lot of affected devices (each with >1000pps of those queries) we have limited those queries for some time as it is easy to deploy quickly. At that point of time time-g.netgear.com had no entry at all so the clients did not stop with the folding. Today it looks a little different, as there is at least a cname for that entry. We have used the u32 module for matching, we check name=time-g.netgear.com and type=A within the query. The matching line looks like:
iptables -A INPUT -p udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x14=0x674696d&&0x0>>0x16&0x3c@0x18=0x652d6707&&0x0>>0x16&0x3c@0x1c=0x6e657467&&0x0>>0x16&0x3c@0x20=0x65617203&&0x0>>0x16&0x3c@0x24=0x636f6d00&&0x0>>0x16&0x3c@0x28&0xffff0000=0x10000" -j YOUR_CHAIN_OR_WHATEVER You can then use the limit module for example.
Just as a thought, maybe it would change something to send the clients a ntp server in the dhcp response, as it is obviously looking for an ntp server. Has someone maybe already tried that?
Cheers, Gregor
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog