Using DNS for hosts or domains filtering

[ObiWan]

First of all, I'm not sure if this is the right place to post this, in case I'll get a bash from the mods and move this post elsewhere ;D

Now, to go back on topic, DNS filtering is something I've been using for quite some time now, and something which I found really useful, not just to block "ad" sites or "danging pigs" ones ::) but also to cut-off unwanted sites or even WHOLE domains

Here's how it works (using Microsoft DNS)

Start by firing up your favourite editor (notepad will do btw) and copy/paste the following in the editor window

Code: [Select]


; NULL Zone File for DNS filtering
;
@                        IN  SOA localhost.  root.localhost. (
                                2008090201  ; serial number
                                28800           ; refresh
                                1800             ; retry
                                432000         ; expire
                                18000      )    ; minimum TTL

;
;  Zone NS records
;

@           NS               localhost.

                                A   169.254.255.254
*            IN               A   169.254.255.254


in case you're wondering the above is a DNS zone file which will resolve ANY request to 169.254.255.254, feel free to change that IP if you want (e.g. using 127.0.0.1 or any other "unused" IP) when done, save the zone inside %SYSTEMROOT%\System32\dns and give it the name "nullzone.dns" (ensure to save it as "any file" to avoid the automatic addition of the "txt" extension)

Now you're ready to start filtering hosts or domains; all you'll need to do will be firing up your DNS console, selecting the "forward zones" node and then after a right click, selecting "new zone", the new zone will be a "standard primary" (we don't need AD for filtering ;)), enter either the host name (e.g. www.foobar.com) or the domain name (e.g. foobar.com) you want to block and then, when it comes to the zone file name, select "use the following file" and enter "nullzone.dns", that is, the zone file you created above, confirm and that's all, now try running "nslookup www.foobar.com" or "nslookup foobar.com" and you'll see the result

Repeat the above for whatever host/domain you want and you'll quickly build up your DNS filtering list; as I wrote, such a list will be useful to block "ad" sites, pr0n sites and so on, but may also come handy to quickly lock-off malware sites/domains

Well... that's all, I just hope you'll find it as useful as I did

HTH

[John B.]

Doesn't this give the same result as adding the following line in your hosts file?

Code: [Select]

127.0.0.1 foobar.com

[ObiWan]

Doesn't this give the same result as adding the following line in your hosts file?

Code: [Select]

127.0.0.1 foobar.com

Not exactly; that line will map "foobar.com" to 127.0.0.1 but (e.g.) ftp.foobar.com will *still* be reachable w/o any filtering (try it by yourself and you'll see)

The hosts file allows you to enter ... hosts :D ... and there's no "wildcarding" for whole domains (and no, "*" won't work either); also, a rather big host file may slow down your machine, while having a central DNS will set the "load" only on the DNS machine and will also allow you to have a "central point of control" for filtering; so, if you're sitting on a mid to huge size network with a DNS, or in any case, if you have your own DNS resolver, that's the right way to go

Also, since we're at DNS filtering, you may find interesting this site

http://pgl.yoyo.org/adservers/

Pete (the hostmaster) is a good friend and has a lot of ready-to-use lists ;)

[John B.]

Thanks for the information, ObiWan. Interesting trick.

[PCBruiser]

It is an interesting alternative, but I'm curious why you don't simply block it at your firewall (either or both hardware and software).  That way you can do two way blocking, etc.  It seems to me that it is both easier and more logical to use the packet level blocking that a firewall uses than to do it at a higher level part of the OS.  And, as I said, that does not block inbound packets AFAIK.

[ObiWan]

It is an interesting alternative, but I'm curious why you don't simply block it at your firewall (either or both hardware and software).  That way you can do two way blocking, etc.  It seems to me that it is both easier and more logical to use the packet level blocking that a firewall uses than to do it at a higher level part of the OS.  And, as I said, that does not block inbound packets AFAIK.

Well... sure, you may use the firewall to block hosts, but...

First of all, a regular firewall will only act on IP addresses (or blocks), so, you'll have to create a rule to block the hosts (notice, HOSTS not whole domains!) you want, but then... those hosts may move to a different IP address and you'll not only need to update your filtering rule, but you'll also take care of removing the old IPs otherwise you may end up filtering innocent hosts now sitting on those same addresses :o

Then... some firewalls allow to create hostname or domain based rules, but this poses an additional load on the firewall since it will need to perform DNS lookups to check if a given host/domain rule is matched, now, since the firewall shouldn't be overloaded if possible, and since the DNS already performs such lookups routinely (all in all it's its job) I think that using such a filtering at the firewall level is a waste of resources if you have your own resolver ;)

Also, using "DNS filtering" doesn't exclude firewalling; the two ideas will work perfectly "hand in hand", and since setting up DNS filtering is rather easy, yet effective, I think it may be a good addition to everyone "arsenal" and I think it may be a feature which will ease quick filtering of unwanted hosts/domains