denying URLs with squid, DNS, or /etc/hosts? - Unix

This is a discussion on denying URLs with squid, DNS, or /etc/hosts? - Unix ; I have a network with about a dozen WinXP workstations and a linux gateway/firewall/proxy serve/DNS (iptables, squid, bind). I came across this site http://www.mvps.org/winhelp2002/hosts.htm which has a hosts file you can download containing malicious URLs and maps them to 127.0.0.1 ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: denying URLs with squid, DNS, or /etc/hosts?

  1. denying URLs with squid, DNS, or /etc/hosts?

    I have a network with about a dozen WinXP workstations and a linux
    gateway/firewall/proxy serve/DNS (iptables, squid, bind).

    I came across this site http://www.mvps.org/winhelp2002/hosts.htm which
    has a hosts file you can download containing malicious URLs and maps
    them to 127.0.0.1 so the can't "phone home" etc. It's of the format

    127.0.0.1 ads.active.com
    127.0.0.1 ad.doubleclick.net

    and so on.

    I /could/ put the file on every workstation in c:\win\sys32\drivers\etc
    as recommended on that site, and it works. But rather than that I am
    sure there is a way to use the server to do it.

    I tried appending it to /etc/hosts and restarted bind, but the URLs
    still resolved to their external addresses.

    So I'm thinking I need to add them to either the squid or bind configs,
    with bind probably being the "best" option.

    eg appending /var/cache/bind/xxxx.local.zone :

    ads.active.com 3600 IN A 127.0.0.1
    ad.doubleclick.net 3600 IN A 127.0.0.1

    Any thoughts or recommendations?
    Should/can I use 0.0.0.0 instead?

    --
    Troy Piggins
    ,-o Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-9-386,
    o ) postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
    `-o slrn 0.9.8.1/rt (score_color patch), vim 7.0f (beta)

  2. Re: denying URLs with squid, DNS, or /etc/hosts?

    On 01 May 2006 23:16:07 GMT
    Troy Piggins wrote:

    > I tried appending it to /etc/hosts and restarted bind, but the URLs
    > still resolved to their external addresses.


    First, you should realise that nslookup and dig (as well as the djbdns
    tools) bypass the system's resolver library, so you cannot test the
    effect of your change using them. Use a little program that calls the
    library (like ghbn.c below):

    /* Little program to test gethostbyname */

    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include
    #include


    void quit(int code, char *text) {
    fprintf(stderr, text);
    exit(code);
    }

    int main(int argc, char *argv[]) {

    struct hostent *shp;
    struct hostent sh;
    char buf[1024];
    int h_errno;

    /* Accept parameter from command line */
    if (argc != 2) quit(1, "I need a hostname to resolve\n");

    /* Call gethostbyname_r */
    shp = gethostbyname_r(argv[1], &sh, buf, sizeof(buf), &h_errno);

    /* Print results */
    if (shp) {
    char **cp;
    for (cp = shp->h_addr_list; *cp != NULL; cp++) {
    struct in_addr addr;
    char **cq;
    memcpy(&addr.s_addr, *cp, sizeof(addr.s_addr));
    printf("%s %s", inet_ntoa(addr), shp->h_name);
    for (cq = shp->h_aliases; *cq != 0; cq++) {
    printf(" %s", *cq);
    }
    putchar('\n');
    }
    } else {
    printf("Cannot resolve %s (%d)\n", argv[1], h_errno);
    }

    return 0;
    }


    Here's a run of the program with the hosts file you're referring to
    (compiled on Solaris 10 with Sun Studio 11):

    bogus~[121] cc ghbn.c -o ghbn -lnsl -lsocket
    bogus~[122] ./ghbn bogus.ecc.lu
    192.168.1.7 bogus.ecc.lu bogus
    bogus~[123] dnsip actualnames.com
    66.218.79.161 66.218.79.140 66.218.79.155 66.218.79.147 66.218.79.149
    66.218.79.148
    bogus~[124] ./ghbn actualnames.com
    127.0.0.1 actualnames.com

    Notice that the dnsip command (from djbdns) returns all the IP
    addresses, but that gethostbyname_r() uses our extended /etc/hosts file.
    I then switched back to the original /etc/hosts, and got the same
    results as dnsip with the test program.

    bogus~[125] ./ghbn actualnames.com
    66.218.79.161 actualnames.com
    66.218.79.140 actualnames.com
    66.218.79.147 actualnames.com
    66.218.79.148 actualnames.com
    66.218.79.149 actualnames.com
    66.218.79.155 actualnames.com

    If you still have no result, check the following:

    - Have you converted the file to have Unix EOL characters?

    - Make sure that your /etc/nsswitch.conf specifies:

    hosts: files dns

    Take care,

    --
    Stefaan A Eeckels
    --
    Q: If ignorance is bliss, why aren't there more happy people in the
    world? A: Because they don't know they're ignorant.

  3. Re: denying URLs with squid, DNS, or /etc/hosts?

    * Stefaan A Eeckels wrote:
    > On 01 May 2006 23:16:07 GMT
    > Troy Piggins wrote:
    >
    >> I tried appending it to /etc/hosts and restarted bind, but the URLs
    >> still resolved to their external addresses.

    >
    > First, you should realise that nslookup and dig (as well as the djbdns
    > tools) bypass the system's resolver library, so you cannot test the
    > effect of your change using them. Use a little program that calls the
    > library (like ghbn.c below):
    >
    > /* Little program to test gethostbyname */

    [snip program code]
    > Here's a run of the program with the hosts file you're referring to
    > (compiled on Solaris 10 with Sun Studio 11):
    >
    > bogus~[121] cc ghbn.c -o ghbn -lnsl -lsocket
    > bogus~[122] ./ghbn bogus.ecc.lu
    > 192.168.1.7 bogus.ecc.lu bogus
    > bogus~[123] dnsip actualnames.com
    > 66.218.79.161 66.218.79.140 66.218.79.155 66.218.79.147 66.218.79.149
    > 66.218.79.148
    > bogus~[124] ./ghbn actualnames.com
    > 127.0.0.1 actualnames.com
    >
    > Notice that the dnsip command (from djbdns) returns all the IP
    > addresses, but that gethostbyname_r() uses our extended /etc/hosts file.
    > I then switched back to the original /etc/hosts, and got the same
    > results as dnsip with the test program.
    >
    > bogus~[125] ./ghbn actualnames.com
    > 66.218.79.161 actualnames.com
    > 66.218.79.140 actualnames.com
    > 66.218.79.147 actualnames.com
    > 66.218.79.148 actualnames.com
    > 66.218.79.149 actualnames.com
    > 66.218.79.155 actualnames.com


    Thanks! I can now test to see what they will resolve to, but I still
    can't *solve* the problem.

    Should I add the URLs to bind's zone files?
    Or is there a way to get bind to use /etc/hosts?

    > If you still have no result, check the following:
    >
    > - Have you converted the file to have Unix EOL characters?


    Yes.

    > - Make sure that your /etc/nsswitch.conf specifies:
    >
    > hosts: files dns


    Yes it does.

    --
    Troy Piggins
    ,-o Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-9-386,
    o ) postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
    `-o slrn 0.9.8.1/rt (score_color patch), vim 7.0f (beta)

  4. Re: denying URLs with squid, DNS, or /etc/hosts?

    On 03 May 2006 07:55:34 GMT
    Troy Piggins wrote:

    > Thanks! I can now test to see what they will resolve to, but I still
    > can't *solve* the problem.
    >
    > Should I add the URLs to bind's zone files?


    That is not going to work - you'd have to make bind authoritative for
    all those zones which is nigh impossible, and bound to have undesirable
    side effects.

    > Or is there a way to get bind to use /etc/hosts?


    Bind cannot use /etc/hosts as it is its alternative when it comes to
    name resolution.

    AFAIK squid uses gethostbyname(), so it should behave like the
    program I included. Simply instruct all your PCs to use squid to
    access the Internet. You could block port 80 on your outgoing router(s)
    for all systems but the proxy server to enforce the use of the proxy
    (this is what I do on my LAN).

    Take care,

    --
    Stefaan A Eeckels
    --
    "A ship in the harbor is safe. But that's not what ships are built for."
    -- Rear Admiral Dr. Grace Murray Hopper.

  5. Re: denying URLs with squid, DNS, or /etc/hosts?

    * Stefaan A Eeckels wrote:
    > On 03 May 2006 07:55:34 GMT
    > Troy Piggins wrote:
    >
    >> Thanks! I can now test to see what they will resolve to, but I still
    >> can't *solve* the problem.
    >>
    >> Should I add the URLs to bind's zone files?

    >
    > That is not going to work - you'd have to make bind authoritative for
    > all those zones which is nigh impossible, and bound to have undesirable
    > side effects.
    >
    >> Or is there a way to get bind to use /etc/hosts?

    >
    > Bind cannot use /etc/hosts as it is its alternative when it comes to
    > name resolution.
    >
    > AFAIK squid uses gethostbyname(), so it should behave like the
    > program I included. Simply instruct all your PCs to use squid to
    > access the Internet. You could block port 80 on your outgoing router(s)
    > for all systems but the proxy server to enforce the use of the proxy
    > (this is what I do on my LAN).


    Thankyou Stefaan. All workstations already are set up to use only the
    proxy, and port 80 is already blocked by firewall.

    So I'll look into squid conf in more detail.

    Thanks again.

    --
    Troy Piggins
    ,-o Ubuntu v5.10 (Breezy Badger): kernel 2.6.12-9-386,
    o ) postfix 2.2.4, procmail 3.22, mutt 1.5.11i,
    `-o slrn 0.9.8.1/rt (score_color patch), vim 7.0f (beta)

  6. Re: denying URLs with squid, DNS, or /etc/hosts?

    In comp.unix.admin Troy Piggins :
    > I have a network with about a dozen WinXP workstations and a linux
    > gateway/firewall/proxy serve/DNS (iptables, squid, bind).


    > I came across this site http://www.mvps.org/winhelp2002/hosts.htm which
    > has a hosts file you can download containing malicious URLs and maps
    > them to 127.0.0.1 so the can't "phone home" etc. It's of the format


    There are several (iirc) addzapp extensions for squid which will
    do that in a more elegant way, STFW (freshmeat.net and alike).

    [..]

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 356: the daemons! the daemons! the terrible
    daemons!

  7. Re: denying URLs with squid, DNS, or /etc/hosts?

    * Michael Heiming wrote:
    > In comp.unix.admin Troy Piggins :
    >> I have a network with about a dozen WinXP workstations and a linux
    >> gateway/firewall/proxy serve/DNS (iptables, squid, bind).

    >
    >> I came across this site http://www.mvps.org/winhelp2002/hosts.htm which
    >> has a hosts file you can download containing malicious URLs and maps
    >> them to 127.0.0.1 so the can't "phone home" etc. It's of the format

    >
    > There are several (iirc) addzapp extensions for squid which will
    > do that in a more elegant way, STFW (freshmeat.net and alike).
    >
    > [..]
    >


    Thanks mate. Will look into it.

    --
    Troy Piggins
    My karma just ran over my dogma

+ Reply to Thread