From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Carl Holtje ;021;vcsg6;" Subject: Re: Firewall feature recommendation Date: Fri, 24 Jun 2005 10:04:36 -0400 (EDT) Message-ID: References: <200506240826.14769.rob0@gmx.co.uk> <200506240845.37417.rob0@gmx.co.uk> Mime-Version: 1.0 Return-path: In-Reply-To: <200506240845.37417.rob0@gmx.co.uk> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: TEXT/PLAIN; charset="us-ascii" Content-Transfer-Encoding: 7bit To: /dev/rob0 Cc: netfilter@lists.netfilter.org On Fri, 24 Jun 2005, /dev/rob0 wrote: > On Friday 24 June 2005 08:36, Carl Holtje ;021;vcsg6; wrote: > > > > - Black lists for inbound & outbound traffic > > > > > > We don't do much of this. We *do* use DNS poisoning for certain > > > known "ratware"/virus domains such as gator.com. > > > > Sorry to jump in half-way through, but how do you do this? > > > > I'm looking for a solution better than editing /etc/hosts that I can > > apply to a small network.. > > BIND 9, transparent DNS proxying for clients to force them into our > local nameserver, where we have a simple null zone file which is loaded > as master for each blocked domain. It points a wildcard "A" at an > internal IP. Would you be so kind as to post a randomly-selected zone file for our enjoyment? > Among other things, that internal machine runs a Web server. When we > first started doing this, its apache logs were inundated with 404's as > the now-stranded spyware attempted to phone home. So you take a DNS (port 53) request and re-write it as HTTP (port 80)?? Wouldn't it just be easier to reply to the DNS request with a "host not found"? Or where you trying to log the requests to find the infected hosts..? Thanks! Carl - -- "There are 10 types of people in the world: Those who understand binary and those that don't."