Payload Inspection

In many firewall configurations it's common to blindly allow UDP source port 53 packets, for DNS
It is unfortunately also common for black hats to use UDP source port 53 packets for other purposes, to bypass many common firewalls
We can utilize Net::DNS::Packet to perform payload inspection, to permit only true DNS packets

A first attempt:

    use Net::DNS::Packet;
    ...

    my $udp = NetPacket::UDP->decode($ip->{data});

    if ($udp->{src_port} == 53) {
        my ($dns, $err) = Net::DNS::Packet->new(\$udp->{data});

        if ($err) {
            warn "Blocking invalid DNS packet\n";
            $ipq->set_verdict($msg->packet_id, NF_DROP);
        } else {
            warn "Permitting valid DNS packet:\n\n", $dns->string;
            $ipq->set_verdict($msg->packet_id, NF_ACCEPT);
        }
    }

Next	© 2003 Michael C. Toren