How to use wildcard to match any hex character in firewall content?

VaMpIrEKiNg · February 3, 2017, 6:12am

I want to filter a lot of IPV6 address
same as 200:2:253d:6c8f:: and 200:2:9f6a:794b::
They are all at the beginning of 202:2 and the last 8 bits are all 00
200:2:253d:6c8f::
\02\00\00\02\25\3D\6C\8F\00\00\00\00\00\00\00\00
200:2:9f6a:794b::
\02\00\00\02\9F\6A\79\4B\00\00\00\00\00\00\00\00

Has any wildcard like the ? of regular expression to match it, whatever what the 4 bit characters behind \02\00\00\02 are, as long as the last 8 bits are all 0

Sob · February 3, 2017, 5:56pm

I don’t think there are wildcards for content. There are for L7, but there’s no L7 for IPv6, plus L7 can’t match zero bytes.

What exactly are you trying to do? From your description, I have no idea what it might be.

VaMpIrEKiNg · February 4, 2017, 6:39am

Hi Sob,

Because against DNS poison for GFW

Sob · February 4, 2017, 6:26pm

I don’t think it’s possible with current RouterOS.

VaMpIrEKiNg · February 5, 2017, 7:40am

Oh,
Sob，I feel so sad,but I really appreciate your help very much.
P.S. Is it possible to request development to add this function?

Sob · February 5, 2017, 4:43pm

You can always ask, but IMHO this approach is wrong. With both content and L7 matchers, you’re not reading DNS replies, you’re just looking for some bytes somewhere in packet. It may work, but it’s not reliable and predictable solution. This should be done in DNS software.

I think it’s safe to say that you can’t expect something like this from RouterOS DNS cache anytime soon. But you can use your own DNS resolver instead. For example Unbound has some Python based scriptable interface (https://unbound.net/documentation/pythonmod/) which I didn’t try myself, but it looks like it should be able to do the kind of filtering you need.

VaMpIrEKiNg · February 6, 2017, 8:56am

reply Q1: For IPV6 address answer from DNS server, the address contains the 2 bit characteristic of \00\10 also similar to ipv4 with \00\04 characteristic, as in the packet size is limited to 60-180. So that the mistaken intercept the probability of correct package is much smaller.

Reply Q2: I will try it, It seems doesn’t look very suitable, only a blacklist, a lightweight DNS.

Sob · February 6, 2017, 6:35pm

Check example 3, it only modifies TTL of response, but if you instead check the address and tell it to return NXDOMAIN for wrong ones, you’ll have exactly what you want.

VaMpIrEKiNg · February 7, 2017, 1:59am

Ok, thank you Sob, I will try this weekend, hope Unbound will suit for me.