RE: Discard DNS requests?

• From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 24 Aug 2005 09:50:30 -0400

Very well. Then perhaps you would have a better, more simple solution
applicable to prevent a host from being resolved, Dr.Shinder?

I do have a tendency to dig a wee bit too deep in things -- thanks to a
great amount of unix philosophy...

-----Message d'origine-----
De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Envoyé : 24 août 2005 09:46
À : [ISAserver.org Discussion List]
Objet : [isalist] RE: Discard DNS requests?

http://www.ISAserver.org

Hi Alexandre,

You'll find that ISA firewall admins in general don't read Playboy for the
articles ;-)

Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, August 24, 2005 8:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Discard DNS requests?
> 
> http://www.ISAserver.org
> 
> Well, I don't find copy pasting pretty hard to do, but you 
> know, to each his
> own. I *am* a unix guy venturing in windows land after all.
> 
> But you will notice his question was rather, how to block 
> certain hosts from
> being resolved *at all*, since forwarding the query to his 
> upstream DNS ate
> bandwidth.
> 
> *shrugs*
> 
> I believe my solution is applicable and not *that* hard if you are not
> afraid of a text editor.
> 
> -----Message d'origine-----
> De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Envoyé : 24 août 2005 09:32
> À : [ISAserver.org Discussion List]
> Objet : [isalist] RE: Discard DNS requests?
> 
> http://www.ISAserver.org
> 
> Goog Dod - that's the hard way.
> If you want to block by IP, create the list in ISA policies 
> and be done with
> it.
> 
> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, August 24, 2005 5:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Discard DNS requests?
> 
> http://www.ISAserver.org
> 
> Forgive me for hijacking this, but is Akamai not a reverse 
> proxy cluster
> service? I believe windowsupdate runs behind them...
> 
> Or, then I simply don't recall the right name :)
> 
> As for your problem... You could create a zone file which 
> looks like this:
> 
> ---------
> 
> @                       IN  SOA yourlocaldnsserver.com.  
> yourname.you.com. (
>                               0824051      ; serial
>                               28800        ; refresh val
>                               1800         ; retry val
>                               432000       ; expire val
>                               18000      ) ; min TTL
> 
> @                       NS    yourlocaldnsserver.com.
> 
>               A       127.0.0.1
> *     IN      A       127.0.0.1
> 
> ---------
> 
> (Okay, I'll admit I once again come from the Bind (named) 
> world, but this
> should work in ms dns as well, just name it, say 
> "blockedrequest.dns" and
> place it in %SystemRoot%\system32\dns\, ms dns *is* derived 
> from bind. But
> then again every DNS server basically is.)
> 
> Then, you should simply create a new domain for each first 
> level domain you
> would like to block. For instance, if you want to block
> adserver.lab.rot3.gator.com (I made that up) you would create 
> gator.com.
> 
> Now, do not create the zone as AD integrated, for obvious 
> reasons -- and
> then just point it to the flat DNS zone file you just 
> created. Repeat for
> every domain.
> 
> Unless your DNS server is set to forward only, or forward 
> first (I think the
> former can be done in ms dns, I am not sure about the latter 
> -- it's been a
> while since I used it for something deeper than a mere 
> service restart) it
> should catch the request, match it to the zone, and make it resolve to
> 127.0.0.1, which means it will stay local and die.
> 
> If you want to make things easier, you can create a registry 
> file (.reg)
> which would contain something like this:
> -----------
> 
> REGEDIT4
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones]
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zone
> s\gator.com]
> "Type"=dword:00000001
> "DatabaseFile"="blockedrequest.dns"
> "SecureSecondaries"=dword:00000001
> "NotifyLevel"=dword:00000001
> "AllowUpdate"=dword:00000000
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zone
> s\evil.net]
> "Type"=dword:00000001
> "DatabaseFile"="blockedrequest.dns"
> "SecureSecondaries"=dword:00000001
> "NotifyLevel"=dword:00000001
> "AllowUpdate"=dword:00000000
> 
> ---------
> 
> Repeat for each domain, I gave you two for the example. Hope it helps.
> 
> --
> Alexandre Gauthier
> Analyste Réseau/Network Analyst
> Québec Loisirs - www.quebecloisirs.com
> 
> 
> 
> -----Message d'origine-----
> De : William Robertson [mailto:william.robertson@xxxxxxxxxx] 
> Envoyé : 24 août 2005 00:28
> À : [ISAserver.org Discussion List]
> Objet : [isalist] RE: Discard DNS requests?
> 
> http://www.ISAserver.org
> 
> 
> If I understand you correctly...
> My client workstations are making "legitimate" (I.e. non 
> virus/worm related)
> calls to domains such as AKAMAI and GATOR. There are a few 
> others but these
> 2 appear to be top of the list.
> 
> My ISA Firewall is going to stop these requests once they 
> eventually get to
> him, but I'm hoping that I can simply kill the requests at my 
> DNS server
> already... save everyone a lot of time.
> 
> I am aware that I should also be identifying the culprit 
> workstations and
> cleaning them up, but this is a very reactive approach, one 
> which I hope to
> resolve once the Microsoft Anti-Spyware tool is officially released.
> 
> Thanks
> William R.
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gauthiera@xxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?
• » RE: Discard DNS requests?

1. Home
2. isalist
3. Archive
4. 08-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---