[CentOS] Can one construct an IPTables rule to block on NS records?

Mon Oct 5 13:46:25 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

This is the same origin that I reported on earlier.  Apparently asking
for an explanation of why they were probing our sites only encouraged
them to make additional attempts.

 sshd:
    Authentication Failures:
       unknown (ip-173-201-178-18.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-196-33.ip.secureserver.net): 2 Time(s)
       unknown (ip-97-74-202-95.ip.secureserver.net): 2 Time(s)
       root (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       root (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       root (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
       unknown (ip-173-201-252-24.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-249-196.ip.secureserver.net): 1 Time(s)
       unknown (ip-72-167-251-87.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-121-108.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-193-219.ip.secureserver.net): 1 Time(s)
       unknown (ip-97-74-206-13.ip.secureserver.net): 1 Time(s)
    Invalid Users:
       Unknown Account: 12 Time(s)

So, is there any convenient way to construct an IPTables rule to block
all IPs associated with a given Domain Name server?


dig -x 173.201.178.18

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> -x 173.201.178.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1357
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;18.178.201.173.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
18.178.201.173.in-addr.arpa. 3600
IN	PTR	ip-173-201-178-18.ip.secureserver.net.

;; AUTHORITY SECTION:
201.173.in-addr.arpa.	66199	IN	NS	cns2.secureserver.net.
201.173.in-addr.arpa.	66199	IN	NS	cns1.secureserver.net.

;; ADDITIONAL SECTION:
cns2.secureserver.net.	172800	IN	A	216.69.185.100
cns2.secureserver.net.	172800	IN	AAAA	2607:f208:303::64
cns1.secureserver.net.	172800	IN	A	208.109.255.100
cns1.secureserver.net.	172800	IN	AAAA	2607:f208:207::64


Like say, cns{1,2}.secureserver.net.  Or an entire domain? Say
secureserver.net. ?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3