Linux bind DNS Server is being targeted in a DNS Amplification attack

I have a Linux bind DNS Server which is being targeted in a DNS Amplification attack.
I have applied DNS Response Rate Limiting and blocking of source IP Addresses, which has solved the immediate problem of excessive IP traffic from the server. Packet Capture of the remaining DNS Traffic on the server shows the two most requested domains. isc.org and peacecorps.gov

In many hours of Google Searching and reading I have come across the following IP Tables snippet. '''-A INPUT -i eno1 -p udp -m udp --dport 53 -m string --hex-string "|0A|peacecorps|03|gov|" --algo bm -j DROP'''

The issue that I have is that my Servers uses firewalld which uses nftables in the background. firewalld has a direct mode that I am attempting to utilize however I cannot get the syntax correct.

With the Rate Limiting (and Fail2Ban) in place the DNS Server is ignoring the repeated requests. I would like to have one more hurdle in their way.

Thanks.


Solution 1:

The answer to my question is:- firewall-cmd --direct --add-rule ipv4 filter INPUT 10 -i ens192 -p udp -m udp --dport 53 -m string --hex-string "|0A|peacecorps|03|gov|" --algo bm -j DROP

The answer was found at https://github.com/firewalld/firewalld/issues/527

Thanks.