On Sun, 2004-06-13 at 04:29, Cedric Blancher wrote: > > Moreover, I > think it would generate too much latency if you had to check DNS for > packets at firewall level. Not to mention the accuracy is pretty poor. Say I'm fubar.com and you have a rule blocking traffic from my domain. I can either: 1) Not create a PTR record for my IP 2) Create a PTR calling myself www.microsoft.com or similar Both methods will defeat a domain based filter. So blocking at an IP level is faster and more accurate. Best bet is to just do a few whois queries to identify the IP range for the domain and block accordingly. HTH, Chris
