Hi, I doubt that he is rewriting DNS requests with HTTP. He is using his nameserver to tell the clients that the ie. *.gmail.com -> some_local_IP and when the real HTTP request is being sent out - it is being sent out to some_local_IP ... it is like entering fix IP adresses in /etc/hosts file.. Regards, Edvin Seferovic PS: it would be interesting which domains you are poisoning :) a zone file would be great ! -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Carl Holtje ;021;vcsg6; Sent: Freitag, 24. Juni 2005 16:05 To: /dev/rob0 Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Firewall feature recommendation On Fri, 24 Jun 2005, /dev/rob0 wrote: > On Friday 24 June 2005 08:36, Carl Holtje ;021;vcsg6; wrote: > > > > - Black lists for inbound & outbound traffic > > > > > > We don't do much of this. We *do* use DNS poisoning for certain > > > known "ratware"/virus domains such as gator.com. > > > > Sorry to jump in half-way through, but how do you do this? > > > > I'm looking for a solution better than editing /etc/hosts that I can > > apply to a small network.. > > BIND 9, transparent DNS proxying for clients to force them into our > local nameserver, where we have a simple null zone file which is loaded > as master for each blocked domain. It points a wildcard "A" at an > internal IP. Would you be so kind as to post a randomly-selected zone file for our enjoyment? > Among other things, that internal machine runs a Web server. When we > first started doing this, its apache logs were inundated with 404's as > the now-stranded spyware attempted to phone home. So you take a DNS (port 53) request and re-write it as HTTP (port 80)?? Wouldn't it just be easier to reply to the DNS request with a "host not found"? Or where you trying to log the requests to find the infected hosts..? Thanks! Carl - -- "There are 10 types of people in the world: Those who understand binary and those that don't."
