How to block a dns domain in dns?

[James W. Long]

Dear All:

In the DNS cache I have "wildtangent". I know this to be spyware games.
is it possible to block this from within my DNS? like pointing it to
127.0.0.1?

Wouldnt clients just get that resolved elewhere anyway?

proly a security question...so how do I block everything comming/going
to that site ?

Thanks in advance

James W. Long

 

[Jeff Cochran]

In the DNS cache I have "wildtangent". I know this to be spyware games.
is it possible to block this from within my DNS? like pointing it to
127.0.0.1?

Wouldnt clients just get that resolved elewhere anyway?

Clients resolve the names according to the client settings. If they
use your DNS, then it resolves to the address you enter.

proly a security question...so how do I block everything comming/going
to that site ?

Firewall or proxy.

Jeff

 

[Herb Martin]

Dear All:

In the DNS cache I have "wildtangent". I know this to be spyware games.
is it possible to block this from within my DNS? like pointing it to
127.0.0.1?

Yes, you can do this -- maybe it's not the best idea;
others have suggested using a firewall or proxy, but
even the DNS idea can be made to work very well
with some (small) effort.

Consider that with MS DNS you would need to create
a zone for each blocked zone and it's a lot of work to
do in the GUI or to automate. (See below...***)

Wouldnt clients just get that resolved elewhere anyway?

No. DNS clients assume ALL DNS servers will return the
same answers and so if yours returns some block-type answer
then that is the end of the resolution.

Note: your internal clients must be configured to use ONLY
your internal DNS servers (who will usually forward to the
Internet, ISP/firewall DNS for Internet resolution).

proly a security question...so how do I block everything comming/going
to that site ?

***Some approaches:

A firewall or other filtering proxy, i.e., ISA

Privoxy -- free on sourceforge -- designed to do this task an much more

A DNS server handling it as you proposed

For the latter, DNS server, I would recommend you do this using BIND
or other DNS server where you can easily load the cache.

I am personally a BIG believer in MS DNS, but this is the setup I use:
MS DNS internally -> forwards to my firewall machine running
BIND for external resolutions.

The firewall-placed BIND has a LARGE pre-loaded cache of most
of the (bad) undesirable Internet locations. MS DNS cannot preload
the cache like this.

 

[Ed Horley]

Depending on your needs you can also do stuff with host files on the local
workstations. You can read up at:
http://www.mvps.org/winhelp2002/hosts.htm

Just another option.

Regards,
Ed Horley
Microsoft MVP Server-Networking

 

[Guest]

I am personally a BIG believer in MS DNS, but this is the setup I use:
MS DNS internally -> forwards to my firewall machine running
BIND for external resolutions.

How does MS DNS handle loads of zones?

(Hey, I just made a pun!)

I'm wondering if you can download a public malware host file and turn it
into zones. It would need to be automatable to be useful.

Download a host file.
Turn the host entries into zone files (.DNS files.)
Edit the Windows equivalent of named.conf.
Restart the service.

As long as Windows can handle the thousands of zones and we can automate
adding zones it should work.

Of course it would be a lot easier if the server could pre-cache or
reference a host file but…

Dan

 

[Herb Martin]

How does MS DNS handle loads of zones?
(Hey, I just made a pun!)

MS handles loads of zones just fine if you don't
mind creating (loads of) them.

I'm wondering if you can download a public malware host file and turn it
into zones. It would need to be automatable to be useful.

Sure, but to do it without the zones you need to pre-load
the cache (which is must easier IF you can do it.)

BIND allows pre-loading the cache from one of those mal-site
files in one go; MS DNS doesn't allow for this.

Download a host file.
Turn the host entries into zone files (.DNS files.)

The cache is probably a must better solution because
then you can stop only certain pages/urls from a site
without blocking all access.

Much of what you might wish to block isn't really
malware but also excessive graphics etc.

Edit the Windows equivalent of named.conf.

Normally Windows uses the registry this part.

Restart the service.

As long as Windows can handle the thousands of zones and we can automate
adding zones it should work.

The thousand of zones are also a nuisance when you use
the GUI -- much better to hide all of this in the cache (with
TTLs that essentially never expire.)

Of course it would be a lot easier if the server could pre-cache or
reference a host file but.

Right.

 

[Herb Martin]

Depending on your needs you can also do stuff with host files on the local
workstations. You can read up at:
http://www.mvps.org/winhelp2002/hosts.htm
Just another option.

Yes, but this has at least two significant problems.

Distribution of the file and the fact that on some versions
of the OS (Win2000 for sure) the very large hosts files
can tie up the process each time they are loaded (at
machine startup and on ANY edit.)

I suspect the latter was fixed in XP or Win2003 but it
could take out an entire CPU for up to an hour on fairly
recent versions.

Doing it centrally at the (Internet connecting) DNS server
is a lot easy to manage.

 

[Ed Horley]

That is why I state "Depending on your needs" - as with many things, the
answer is "it depends" and I think the solutions should be evaluated by his
needs. He only indicated one site he was worried about and a DNS solution
does have its short comings in some cases. Mainly if you need to do small
things with internal servers like forward/rDNS lookup comparisons for syslog
files, web server logs, IDS logs, SPF checks, and other issues. If the
servers are AD authenticating then you are short changing your capabilities
to solve problems for those servers and limiting the capabilities of those
services.
Proxy solutions are excellent methods but can be hard for small business to
set up and maintain. Sometimes HOSTS is a quick and easy fix.

Regards,
Ed Horley
Microsoft MVP Server-Networking