[unisog] sypware control through black-hole DNS
michael.holstein at csuohio.edu
Wed Feb 1 16:00:19 GMT 2006
> Blackhole routers as I understand them (or at least as
> it was used at my previous job) relies on the address
> to be "non-routable" to your internal network.
> Spyware sending most of it's traffic over port 80
> would still get routed through the proxy, correct??
> Then again I may be wrong.
DNS resolution happens before the traffic gets sent (by the application)
to the proxy -- so no, it'll still work in an environment that requires
www traffic be proxied. The HTTP request is for the IP address, with the
hostname in the header (that's how multiple sites work on the same
address). This dosen't change when running a proxy -- unless you're also
proxying the DNS requests (I know TOR is actively working on a good way
to do this, but no mainstream apps do it, AFIK).
Also, sometimes it's actually more useful to make the DNS A records
returned from a blackhole list go to something on your network that
actually runs a webserver -- just to log all the requests (so you can
make lists of the bad people).
I've also configured Apache to deliver 1x1 clear GIFs (to any request)
as part of an adware-blocking campaign.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog