This is a discussion on Re: DNS Forwarding/Stub zones? - DNS ; You might be interested in this white paper. http://staff.science.uva.nl/~delaat/...p12/report.pdf Quoting Fr34k : > Hello, > > Warning: the below may be consider off topic. > > Have you considered how you will manage malicious websites/IPs? > Have you checked if ...
You might be interested in this white paper.
> Warning: the below may be consider off topic.
> Have you considered how you will manage malicious websites/IPs?
> Have you checked if anyone else is managing this via DNS?
> What about malware that writes/hijacks MS windows hosts files?
> Such infected devices will not make DNS queries and, therefore, will bypass
> such a configuration.
> Perhaps force http/https traffic through a proxy where URLs can be scrubbed
> malicious content?
> For example, using Squid (www.squid-cache.net) and it's ACL funtionality such
> acl maliciousregex urlpath_regex -i "/path/to/file/which/has/maliciousregex"
> http_access deny maliciousregex
> Furthermore, I recall reading the ability to config Squid to use a freeware
> version of what the websense vendor-ware does. I never tried this, however.
> Finally, one could write scripts to run reports on those devices making
> requests for malware so it could be acted upon.
> My intent was not to get off topic, but to offer another solution to what you
> may be ultimately trying to achieve.
> I included the list in case someone else may find value in my reply.
> --- firstname.lastname@example.org wrote:
> > Greetings all,
> > I'm trying to write a document about how we could intercept requests to
> > potentially malicious websites using DNS forwarding. After doing some
> > reading I stumbled across stub zones. What I don't fully understand is
> > the implementation of this or which would be better.
> > Example:
> > Client infected with malware tries to get to something.ru So we tell
> > our internal DNS servers to tell the client that instead of going out,
> > my little server over here is actually something.ru effectively
> > intercepting the request.
> > I assumed creating a simple forward zone for *.ru would be the best was
> > to accomplish this, but then I have to create a forward zone for every
> > domain I want forwarded. With the stub zone I understand that I could
> > just provide the DNS admin the root.stubs.conf file and this would
> > effectively accomplish the same thing? Can you use wildcards in the
> > root.stubs file? i.e. *.ru?
> > Could someone please clarify this for me as I'm confused if they work
> > the same way.
> > Thanks in advance.