[unisog] sypware control through black-hole DNS

Michael Holstein michael.holstein at csuohio.edu
Wed Feb 1 16:00:19 GMT 2006


> Blackhole routers as I understand them (or at least as
> it was used at my previous job) relies on the address
> to be "non-routable" to your internal network. 
> Spyware sending most of it's traffic over port 80
> would still get routed through the proxy, correct?? 
> Then again I may be wrong.

DNS resolution happens before the traffic gets sent (by the application) 
to the proxy -- so no, it'll still work in an environment that requires 
www traffic be proxied. The HTTP request is for the IP address, with the 
hostname in the header (that's how multiple sites work on the same 
address). This dosen't change when running a proxy -- unless you're also 
proxying the DNS requests (I know TOR is actively working on a good way 
to do this, but no mainstream apps do it, AFIK).

Also, sometimes it's actually more useful to make the DNS A records 
returned from a blackhole list go to something on your network that 
actually runs a webserver -- just to log all the requests (so you can 
make lists of the bad people).

I've also configured Apache to deliver 1x1 clear GIFs (to any request) 
as part of an adware-blocking campaign.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list