Wildcards or KeyWords???
kcd at daimlerchrysler.com
Fri Nov 5 01:52:15 UTC 2004
Based on what little technical information is available on that website,
it looks like the Paxfire appliance is just intercepting DNS requests,
looking them up on the backend and then returning a reference to a
"default" website if the DNS name being looked up doesn't exist (I'm
sure it's a little more sophisticated than that, it probably has the
ability to "redirect" to several different websites, depending on the
contents of the DNS query, and I'm sure it has a purty GUI frontend,
yadda yadda yadda).
I see no reason that you couldn't write a DNS "proxy" to do something
similar. It could probably even run on the same box as your BIND
nameserver. But BIND itself does not have any capability to do anything
like this. The most you'd be able to do is put a wildcard in your *own*
domain, so that if the browser's first lookup failed and the stub
resolver on the client went to another lookup with your domain name
appended (as a result of a searchlist, "suffix search order" or
whatever), it would get the wildcard and connect to a website of your
P.S. I'm thinking this Paxfire appliance idea will die a horrible death
if DNSSEC ever gets off the ground, since in that case the appliance
won't be able to spoof the (cryptographically-signed) responses to the
satisfaction of a properly-configured and security-aware DNS client...
Stephen Williams wrote:
>Ok so yes I am basically wanting to do a redirect of HTTP traffic. This
>exactly what I want to do at this site http://www.paxfire.com if anyone
>has any ideas on how to emulate what is done with this appliance via DNS
>please please share as I am out of ideas.
>Barry Margolin wrote:
>>In article <cmbucb$hj5$1 at sf1.isc.org>,
>> "Kerry Thompson" <kerry at security.geek.nz> wrote:
>>>It sounds like the function where you enter keywords in the location field
>>>on some browsers, they get URL-wrapped and sent to a search engine and the
>>>user either gets the search results page or directed to the site at the
>>>top of the search.
>>>This is a function of the browser program, and has nothing to do with DNS.
>>It *could* be done by DNS. Similar to the way that NSI set up a *.COM
>>wildcard so that any nonexistent domains would be redirected to their
>>server. You could create a DNS server that reacts to nonexistent
>>hostnames by returning the IP address of the search engine. The search
>>engine can then look at the Host: header to find out the hostname that
>>was entered into the browser.
>>The problem with this is that not all hostname lookups come from names
>>typed into browsers. This design would cause problems when people
>>mistype hostnames in email addresses, for instance.
More information about the bind-users