Blocking adservers with BIND9.1.0
Kevin Darcy
kcd at daimlerchrysler.com
Thu Jan 8 03:26:06 UTC 2004
Isaac Grover wrote:
>Hi everyone,
>
>After considering what I would gain with djbdns and my configuration, the end
>wouldn't justify the means - just looks like more work.
>
>Onto my situation: using the adserver list at http://adservers.v3.net, I block
>the outgoing requests for images to those adservers at my firewall/proxy and
>redirect the traffic to a 404 page on my F/P. Basically I make zone
>declarations for those adservers and redirect them to my F/P.
>
>An annoyance I've noticed is that requests to adservers explicitly listed in the
>zone declarations result in "host not found" messages on client machines, but
>requests to subdomains of those adservers will be correctly redirected to the
>F/P and show the 404 page. For example, a request to "ads.osdn.com" will show a
>"host not found" message, but a request to "bogus.ads.osdn.com" will show the
>correct 404 page.
>
>The objective is to have requests to all adservers and subdomains of those
>adservers be redirected to the 404 page on the F/P.
>
>My config files are below. (I have not included the complete adserver list for
>courtesy.) Am I missing an option somewhere, or is there a better way to be
>doing this?
>
>named.conf.internet:
>options {
> directory "/var/named";
> allow-query { 192.168.100.0/24; 127.0.0.1; localhost; };
> listen-on { 192.168.100.1; 127.0.0.1; };
> forward first;
> forwarders { 209.244.0.3; 209.244.0.4; 205.171.3.65; 205.171.19.251; 199
>..166.28.10; 199.166.31.3; 204.57.55.100; };
>};
>
>zone "." { type hint; file "root.hints"; };
>zone "mynetwork" { type master; file "192.168.100.forward"; };
>zone "100.168.192.in-addr.arpa" { type master; file "192.168.100.reverse"; };
>
># 11/17/03
>zone "clustera.icq.com" { type master; notify no; file "null.zone.file"; };
>zone "clustere.icq.com" { type master; notify no; file "null.zone.file"; };
>
># 11/25/03
>zone "ads.servethis.com" { type master; notify no; file "null.zone.file"; };
>
>192.168.100.forward:
>$TTL 3D
>@ IN SOA gibson.mynetwork. root.gibson.mynetwork. (
> 2003093002 ; year.month.day.sequence
> 8H ; Refresh
> 2H ; Retry
> 4W ; Expire
> 1D) ; Minimum TTL
> IN MX 100 gibson
> IN MX 150 popi.myexcel.com
> NS gibson
>localhost IN A 127.0.0.1
>gibson IN A 192.168.100.1
>flower IN A 192.168.100.105
>milk IN A 192.168.100.106
>adserver IN A 192.168.100.253 <-- where the 404 page is
>
>192.168.100.reverse:
>$TTL 3D
>@ IN SOA gibson.mynetwork. root.gibson.mynetwork. (
> 2003093003 ; year.month.day.sequence
> 8H ; Refresh
> 2H ; Retry
> 4W ; Expire
> 1D) ; Minimum TTL
>@ IN NS gibson.mynetwork.
>1 IN PTR gibson.mynetwork.
>105 IN PTR flower.mynetwork.
>106 IN PTR milk.mynetwork.
>253 IN PTR adserver.mynetwork.
>
>null.zone.file:
>$TTL 86400
>@ IN SOA adserver. root.adserver.mynetwork. (
> 2003112602 ; year.month.day.sequence
> 604800 ; Refresh
> 86400 ; Retry
> 2419200 ; Expire
> 604800 ) ; Negative Cache TTL
>
> IN NS 192.168.100.1
>; IN MX 192.168.100.1
>* IN A 192.168.100.253
>
Add an A record above the wildcard record, with the same address and a
blank owner name: blank owner names "inherit" the last non-blank owner
name, thus the A record will be owned by "@" aka the zone name.
- Kevin
More information about the bind-users
mailing list