From: "Seferovic Edvin" <edvin.seferovic@kolp.at>
To: netfilter@lists.netfilter.org
Subject: RE: Firewall feature recommendation
Date: Fri, 24 Jun 2005 16:12:01 +0200 [thread overview]
Message-ID: <29273.9371922382$1119621989@news.gmane.org> (raw)
In-Reply-To: <Pine.GSO.4.58.0506241002340.17433@queeg.cs.rit.edu>
Hi,
I doubt that he is rewriting DNS requests with HTTP. He is using his
nameserver to tell the clients that the ie. *.gmail.com -> some_local_IP and
when the real HTTP request is being sent out - it is being sent out to
some_local_IP ... it is like entering fix IP adresses in /etc/hosts file..
Regards,
Edvin Seferovic
PS: it would be interesting which domains you are poisoning :) a zone file
would be great !
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Carl Holtje
;021;vcsg6;
Sent: Freitag, 24. Juni 2005 16:05
To: /dev/rob0
Cc: netfilter@lists.netfilter.org
Subject: Re: Firewall feature recommendation
On Fri, 24 Jun 2005, /dev/rob0 wrote:
> On Friday 24 June 2005 08:36, Carl Holtje ;021;vcsg6; wrote:
> > > > - Black lists for inbound & outbound traffic
> > >
> > > We don't do much of this. We *do* use DNS poisoning for certain
> > > known "ratware"/virus domains such as gator.com.
> >
> > Sorry to jump in half-way through, but how do you do this?
> >
> > I'm looking for a solution better than editing /etc/hosts that I can
> > apply to a small network..
>
> BIND 9, transparent DNS proxying for clients to force them into our
> local nameserver, where we have a simple null zone file which is loaded
> as master for each blocked domain. It points a wildcard "A" at an
> internal IP.
Would you be so kind as to post a randomly-selected zone file for our
enjoyment?
> Among other things, that internal machine runs a Web server. When we
> first started doing this, its apache logs were inundated with 404's as
> the now-stranded spyware attempted to phone home.
So you take a DNS (port 53) request and re-write it as HTTP (port 80)??
Wouldn't it just be easier to reply to the DNS request with a "host not
found"? Or where you trying to log the requests to find the infected
hosts..?
Thanks!
Carl
- --
"There are 10 types of people in the world: Those who understand binary
and those that don't."
next prev parent reply other threads:[~2005-06-24 14:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-24 10:56 Firewall feature recommendation Kenneth Kalmer
2005-06-24 13:26 ` /dev/rob0
2005-06-24 13:36 ` Carl Holtje ;021;vcsg6;
2005-06-24 13:45 ` /dev/rob0
2005-06-24 14:04 ` Carl Holtje ;021;vcsg6;
2005-06-24 14:12 ` Seferovic Edvin [this message]
2005-06-24 14:12 ` /dev/rob0
2005-06-24 14:32 ` /dev/rob0
2005-06-24 14:37 ` Jan Engelhardt
2005-06-24 14:53 ` /dev/rob0
2005-06-24 15:20 ` Carl Holtje ;021;vcsg6;
2005-06-24 15:23 ` Carl Holtje ;021;vcsg6;
2005-06-24 17:49 ` /dev/rob0
2005-06-24 15:12 ` Kenneth Kalmer
2005-06-24 13:44 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='29273.9371922382$1119621989@news.gmane.org' \
--to=edvin.seferovic@kolp.at \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.