Hi Alexandre, You'll find that ISA firewall admins in general don't read Playboy for the articles ;-) Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > Sent: Wednesday, August 24, 2005 8:44 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Discard DNS requests? > > http://www.ISAserver.org > > Well, I don't find copy pasting pretty hard to do, but you > know, to each his > own. I *am* a unix guy venturing in windows land after all. > > But you will notice his question was rather, how to block > certain hosts from > being resolved *at all*, since forwarding the query to his > upstream DNS ate > bandwidth. > > *shrugs* > > I believe my solution is applicable and not *that* hard if you are not > afraid of a text editor. > > -----Message d'origine----- > De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Envoyé : 24 août 2005 09:32 > À : [ISAserver.org Discussion List] > Objet : [isalist] RE: Discard DNS requests? > > http://www.ISAserver.org > > Goog Dod - that's the hard way. > If you want to block by IP, create the list in ISA policies > and be done with > it. > > -----Original Message----- > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] > Sent: Wednesday, August 24, 2005 5:48 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Discard DNS requests? > > http://www.ISAserver.org > > Forgive me for hijacking this, but is Akamai not a reverse > proxy cluster > service? I believe windowsupdate runs behind them... > > Or, then I simply don't recall the right name :) > > As for your problem... You could create a zone file which > looks like this: > > --------- > > @ IN SOA yourlocaldnsserver.com. > yourname.you.com. ( > 0824051 ; serial > 28800 ; refresh val > 1800 ; retry val > 432000 ; expire val > 18000 ) ; min TTL > > @ NS yourlocaldnsserver.com. > > A 127.0.0.1 > * IN A 127.0.0.1 > > --------- > > (Okay, I'll admit I once again come from the Bind (named) > world, but this > should work in ms dns as well, just name it, say > "blockedrequest.dns" and > place it in %SystemRoot%\system32\dns\, ms dns *is* derived > from bind. But > then again every DNS server basically is.) > > Then, you should simply create a new domain for each first > level domain you > would like to block. For instance, if you want to block > adserver.lab.rot3.gator.com (I made that up) you would create > gator.com. > > Now, do not create the zone as AD integrated, for obvious > reasons -- and > then just point it to the flat DNS zone file you just > created. Repeat for > every domain. > > Unless your DNS server is set to forward only, or forward > first (I think the > former can be done in ms dns, I am not sure about the latter > -- it's been a > while since I used it for something deeper than a mere > service restart) it > should catch the request, match it to the zone, and make it resolve to > 127.0.0.1, which means it will stay local and die. > > If you want to make things easier, you can create a registry > file (.reg) > which would contain something like this: > ----------- > > REGEDIT4 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones] > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zone > s\gator.com] > "Type"=dword:00000001 > "DatabaseFile"="blockedrequest.dns" > "SecureSecondaries"=dword:00000001 > "NotifyLevel"=dword:00000001 > "AllowUpdate"=dword:00000000 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zone > s\evil.net] > "Type"=dword:00000001 > "DatabaseFile"="blockedrequest.dns" > "SecureSecondaries"=dword:00000001 > "NotifyLevel"=dword:00000001 > "AllowUpdate"=dword:00000000 > > --------- > > Repeat for each domain, I gave you two for the example. Hope it helps. > > -- > Alexandre Gauthier > Analyste Réseau/Network Analyst > Québec Loisirs - www.quebecloisirs.com > > > > -----Message d'origine----- > De : William Robertson [mailto:william.robertson@xxxxxxxxxx] > Envoyé : 24 août 2005 00:28 > À : [ISAserver.org Discussion List] > Objet : [isalist] RE: Discard DNS requests? > > http://www.ISAserver.org > > > If I understand you correctly... > My client workstations are making "legitimate" (I.e. non > virus/worm related) > calls to domains such as AKAMAI and GATOR. There are a few > others but these > 2 appear to be top of the list. > > My ISA Firewall is going to stop these requests once they > eventually get to > him, but I'm hoping that I can simply kill the requests at my > DNS server > already... save everyone a lot of time. > > I am aware that I should also be identifying the culprit > workstations and > cleaning them up, but this is a very reactive approach, one > which I hope to > resolve once the Microsoft Anti-Spyware tool is officially released. > > Thanks > William R. > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gauthiera@xxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >