Forgive me for hijacking this, but is Akamai not a reverse proxy cluster service? I believe windowsupdate runs behind them... Or, then I simply don't recall the right name :) As for your problem... You could create a zone file which looks like this: --------- @ IN SOA yourlocaldnsserver.com. yourname.you.com. ( 0824051 ; serial 28800 ; refresh val 1800 ; retry val 432000 ; expire val 18000 ) ; min TTL @ NS yourlocaldnsserver.com. A 127.0.0.1 * IN A 127.0.0.1 --------- (Okay, I'll admit I once again come from the Bind (named) world, but this should work in ms dns as well, just name it, say "blockedrequest.dns" and place it in %SystemRoot%\system32\dns\, ms dns *is* derived from bind. But then again every DNS server basically is.) Then, you should simply create a new domain for each first level domain you would like to block. For instance, if you want to block adserver.lab.rot3.gator.com (I made that up) you would create gator.com. Now, do not create the zone as AD integrated, for obvious reasons -- and then just point it to the flat DNS zone file you just created. Repeat for every domain. Unless your DNS server is set to forward only, or forward first (I think the former can be done in ms dns, I am not sure about the latter -- it's been a while since I used it for something deeper than a mere service restart) it should catch the request, match it to the zone, and make it resolve to 127.0.0.1, which means it will stay local and die. If you want to make things easier, you can create a registry file (.reg) which would contain something like this: ----------- REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones\gator.com] "Type"=dword:00000001 "DatabaseFile"="blockedrequest.dns" "SecureSecondaries"=dword:00000001 "NotifyLevel"=dword:00000001 "AllowUpdate"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones\evil.net] "Type"=dword:00000001 "DatabaseFile"="blockedrequest.dns" "SecureSecondaries"=dword:00000001 "NotifyLevel"=dword:00000001 "AllowUpdate"=dword:00000000 --------- Repeat for each domain, I gave you two for the example. Hope it helps. -- Alexandre Gauthier Analyste Réseau/Network Analyst Québec Loisirs - www.quebecloisirs.com -----Message d'origine----- De : William Robertson [mailto:william.robertson@xxxxxxxxxx] Envoyé : 24 août 2005 00:28 À : [ISAserver.org Discussion List] Objet : [isalist] RE: Discard DNS requests? http://www.ISAserver.org If I understand you correctly... My client workstations are making "legitimate" (I.e. non virus/worm related) calls to domains such as AKAMAI and GATOR. There are a few others but these 2 appear to be top of the list. My ISA Firewall is going to stop these requests once they eventually get to him, but I'm hoping that I can simply kill the requests at my DNS server already... save everyone a lot of time. I am aware that I should also be identifying the culprit workstations and cleaning them up, but this is a very reactive approach, one which I hope to resolve once the Microsoft Anti-Spyware tool is officially released. Thanks William R.