Firewall feature recommendation
edvin.seferovic at kolp.at
Fri Jun 24 16:12:01 CEST 2005
I doubt that he is rewriting DNS requests with HTTP. He is using his
nameserver to tell the clients that the ie. *.gmail.com -> some_local_IP and
when the real HTTP request is being sent out - it is being sent out to
some_local_IP ... it is like entering fix IP adresses in /etc/hosts file..
PS: it would be interesting which domains you are poisoning :) a zone file
would be great !
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Carl Holtje
Sent: Freitag, 24. Juni 2005 16:05
Cc: netfilter at lists.netfilter.org
Subject: Re: Firewall feature recommendation
On Fri, 24 Jun 2005, /dev/rob0 wrote:
> On Friday 24 June 2005 08:36, Carl Holtje ;021;vcsg6; wrote:
> > > > - Black lists for inbound & outbound traffic
> > >
> > > We don't do much of this. We *do* use DNS poisoning for certain
> > > known "ratware"/virus domains such as gator.com.
> > Sorry to jump in half-way through, but how do you do this?
> > I'm looking for a solution better than editing /etc/hosts that I can
> > apply to a small network..
> BIND 9, transparent DNS proxying for clients to force them into our
> local nameserver, where we have a simple null zone file which is loaded
> as master for each blocked domain. It points a wildcard "A" at an
> internal IP.
Would you be so kind as to post a randomly-selected zone file for our
> Among other things, that internal machine runs a Web server. When we
> first started doing this, its apache logs were inundated with 404's as
> the now-stranded spyware attempted to phone home.
So you take a DNS (port 53) request and re-write it as HTTP (port 80)??
Wouldn't it just be easier to reply to the DNS request with a "host not
found"? Or where you trying to log the requests to find the infected
"There are 10 types of people in the world: Those who understand binary
and those that don't."
More information about the netfilter