0
I'm running a small Pi-Hole DNS server on my VPS, and I have the following iptables rules enabled to stop the DNS ANY amplification attack:
*raw
-A PREROUTING -p udp --dport 53 -m string --from 40 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 1 -j DROP
-A PREROUTING -p tcp --dport 53 -m string --from 52 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 1 -j DROP
COMMIT
(source: https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/)
These two rules work great on ipv4 (I have been under constant attack for weeks now, but all requests are getting blocked), but I've just realized that I don't have an ipv6 equivalent for them, and I don't know if the hex string is compatible, or what the offset would be. I haven't been targeted on ipv6 yet, but I'd rather be ready in advance - especially since my ipv6 address has picked up a couple of port scanners already.
What are the ipv6 equivalent rules to block DNS ANY requests?