[rescue] Tricking DNS - summary so far
Sheldon T. Hall
rescue at sunhelp.org
Mon Oct 22 10:52:30 CDT 2001
OK, here's what we've got so far ....
"You can't preload the DNS cache."
I was afraid of that. This would seem to be a nice BIND enhancement,
though, and a good way to fight the rampant and tasteless commercialism
that's making much of the 'net unpleasant to use.
"Make your DNS server authoritative for the zones involved"
That's actually what I'm trying to avoid, since there are 50-60 machines I
want to block, and the number grows daily. Setting up 50 zone files would
waste more of my time than blocking the hosts would ever save. I don't want
to block everything from those zones, neccessarily, either.
"Stick with the hosts file and use rdist to distribute it."
Oh, that this were an all-Unix network. It's Windows PCs, mostly. I
_could_ actually automaticaly distribute the host file, using a Windows
batch file, and I may do that. I really wish Windows had symbolic links
....
"Block the bastards at the border [router]."
This would work OK, too, but the telnet interface to this Netopia ISDN
router is, ummm, suboptimal, and I hate the thought of having to use it to
enter 50-60 filter setups. Not to mention I'd have to look up all those IP
addresses. It may not have enough slots to handle that number of hosts,
anyway.
"Deflect the addresses to an internal webserver."
I used to do that. Deflecting them to localhost is _much_ faster.
"Update to BIND 9!"
I probably will, someday. The DNS server runs on an LX under Solaris 7, and
it's behind a pretty good firewall. Since the LX isn't "armored" in any
way, having an old, vulnerable BIND implementation isn't any worse than a
hundred other things on that box. This is a home network, so internal
security threats are nil.
"JunkBuster will do that."
Yep. I've tried it, actually, on my PC. It works OK, and I might set it up
on some internal host so everyone could use it. Maybe behind a real proxy
server so we'd have less traffic on the ISDN link. If anyone has any
opinions about compiling/instaling/running JunkBuster on an LX under Solaris
7, _please_ let me know. My first thought is that the machine would be too
slow for it to be satisfactory, but I'd be happy to be wrong.
I'm grateful for all the suggestions.
-Shel
--
Sheldon T. Hall
shel at cmhc.com
206-842-2858
206-780-7971
More information about the rescue
mailing list