Blocking adservers with BIND9.1.0

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 8 03:26:06 UTC 2004


Isaac Grover wrote:

>Hi everyone,
>
>After considering what I would gain with djbdns and my configuration, the end
>wouldn't justify the means - just looks like more work.
>
>Onto my situation:  using the adserver list at http://adservers.v3.net, I block
>the outgoing requests for images to those adservers at my firewall/proxy and
>redirect the traffic to a 404 page on my F/P.  Basically I make zone
>declarations for those adservers and redirect them to my F/P.
>
>An annoyance I've noticed is that requests to adservers explicitly listed in the
>zone declarations result in "host not found" messages on client machines, but
>requests to subdomains of those adservers will be correctly redirected to the
>F/P and show the 404 page.  For example, a request to "ads.osdn.com" will show a
>"host not found" message, but a request to "bogus.ads.osdn.com" will show the
>correct 404 page.
>
>The objective is to have requests to all adservers and subdomains of those
>adservers be redirected to the 404 page on the F/P.
>
>My config files are below.  (I have not included the complete adserver list for
>courtesy.)  Am I missing an option somewhere, or is there a better way to be
>doing this?
>
>named.conf.internet:
>options {
>        directory "/var/named";
>        allow-query { 192.168.100.0/24; 127.0.0.1; localhost; };
>        listen-on { 192.168.100.1; 127.0.0.1; };
>        forward first;
>        forwarders { 209.244.0.3; 209.244.0.4; 205.171.3.65; 205.171.19.251; 199
>..166.28.10; 199.166.31.3; 204.57.55.100; };
>};
>
>zone "." { type hint; file "root.hints"; };
>zone "mynetwork" { type master; file "192.168.100.forward"; };
>zone "100.168.192.in-addr.arpa" { type master; file "192.168.100.reverse"; };
>
># 11/17/03
>zone "clustera.icq.com" { type master; notify no; file "null.zone.file"; };
>zone "clustere.icq.com" { type master; notify no; file "null.zone.file"; };
>
># 11/25/03
>zone "ads.servethis.com" { type master; notify no; file "null.zone.file"; };
>
>192.168.100.forward:
>$TTL 3D
>@               IN      SOA     gibson.mynetwork. root.gibson.mynetwork. (
>                                2003093002 ; year.month.day.sequence
>                                8H      ; Refresh
>                                2H      ; Retry
>                                4W      ; Expire
>                                1D)     ; Minimum TTL
>        IN      MX      100     gibson
>        IN      MX      150     popi.myexcel.com
>                NS      gibson
>localhost       IN      A       127.0.0.1
>gibson  IN      A       192.168.100.1
>flower  IN      A       192.168.100.105
>milk    IN      A       192.168.100.106
>adserver        IN      A       192.168.100.253  <-- where the 404 page is
>
>192.168.100.reverse:
>$TTL 3D
>@               IN      SOA     gibson.mynetwork. root.gibson.mynetwork. (
>                                2003093003 ; year.month.day.sequence
>                                8H      ; Refresh
>                                2H      ; Retry
>                                4W      ; Expire
>                                1D)     ; Minimum TTL
>@       IN      NS      gibson.mynetwork.
>1       IN      PTR     gibson.mynetwork.
>105     IN      PTR     flower.mynetwork.
>106     IN      PTR     milk.mynetwork.
>253     IN      PTR     adserver.mynetwork.
>
>null.zone.file:
>$TTL    86400
>@       IN      SOA     adserver. root.adserver.mynetwork. (
>                        2003112602 ; year.month.day.sequence
>                         604800 ; Refresh
>                          86400 ; Retry
>                        2419200 ; Expire
>                         604800 ) ; Negative Cache TTL
>
>        IN      NS      192.168.100.1
>;       IN      MX      192.168.100.1
>*       IN      A       192.168.100.253
>
Add an A record above the wildcard record, with the same address and a 
blank owner name: blank owner names "inherit" the last non-blank owner 
name, thus the A record will be owned by "@" aka the zone name.

                                                                         
                                             - Kevin




More information about the bind-users mailing list