klaus-nicat
commented
4 years ago One additional question: Would it be possible to install the DROP before tcpdump sees the packet?
Open klaus-nicat opened 4 years ago
klaus-nicat
commented
4 years ago One additional question: Would it be possible to install the DROP before tcpdump sees the packet?
rgacogne
commented
4 years ago I would like to drop all queries within this zone, ie: *.evildomain.com
We did not manage to write that without hitting the limit on the number of eBPF instructions last time, and both @Habbie and I tried quite hard. That limit has been raised on recent Linux kernels, though, so it might possible there.
One additional question: Would it be possible to install the DROP before tcpdump sees the packet?
I have not tested recently and I am not sure I recall correctly but I don't think so. We would probably need to use XDP instead of socket filters.
rgacogne
commented
4 years ago Lately I have come to the conclusion that the way to go would be to implement adding netmasks, domains and sub-domains into eBPF pinned maps from dnsdist, and then delegate the actual eBPF processing to an independent XDP program.
klaus-nicat
commented
4 years ago Hm. I thought eBPF is XDP, or can eBPF code live in XDP and other places? Anyway your conclusion sounds good :-)
Tigger2014
commented
2 years ago I wonder if some inspiration can be taken from Cloudflare https://github.com/cloudflare/bpftools
Short description
I would like to drop all queries within this zone, ie: *.evildomain.com
Usecase
Block random subdomain attacks before hitting and killing dnsdist (we have currently +200.000 q/s)