[geeks] .hk, .cn, .info considered harmful
Phil Stracchino
alaric at metrocast.net
Thu Jun 5 08:08:59 CDT 2008
Geoffrey S. Mendelson wrote:
> On Thu, Jun 05, 2008 at 08:32:19AM -0400, Phil Stracchino wrote:
>> Everyone's probably seen the report by now, citing that in these three
>> worst TLDs, as many as one site in ten carries a payload of malware.
>> So, since the kids aren't good at paying attention to such things, I
>> decided in the interest of safety to block all traffic to and from those
>> TLDs at the firewall.
>>
>>
>> Problem: What netblocks to actually block. I managed to find one site
>> offering a list of .cn and .hk netblocks; the combined total is over
>> 10k, gzipped. There's got to be a better solution than that.
>
> Are you running your own DNS server. If so you can add your own
> files to resolve those domains.
I am, but there's problems with that idea. First, I have to figure out
a way to use a domain name, rather than a CIDR spec, in pf rules.
Secondly, every time a packet is matched against that rule, it'll
trigger a DNS lookup. Which sounds like a really bad idea to me.
So far I'm unable to come up with anything cleaner than a big table for
each domain.
Yeah, I could locally direct those TLDs to, say, loopback. But that
won't stop (for example) a link to an obfuscated IP address, or a script
loaded from a direct-IP-address URL. It's not so much what I can see
that I'm concerned about.
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the geeks
mailing list