ho to filter hundeds of domains ?

[Mark Andrews]

In message <1346342946.14282.32.camel at mjelap.posix.co.za>, Mark Elkins writes:
> On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote:
> > On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote:
> > > On Thu, Aug 30, 2012 at 03:16:32PM +0200,
> > >  fddi <fddi at gmx.it> wrote=20
> > >  a message of 15 lines which said:
> > >=20
> > >> Actually many telephone companies in the world are doing this,=20
> > >=20
> > > They're wrong politically (censorship) and they're wrong technically
> > > (see O'Reilly's answer).
> > >=20
> > > Copying telephone companies is not a good idea for the Internet :-)
> >=20
> > Still, that kind of setup is *mandatory* for ISPs in Italy :-\
> 
> Is the mandatory setup to actually use 'DNS' to block access to gambling
> sites? Its easy enough to script an automatic update if someone central
> and with the necessary authority decides what it not allowed (eg a
> governmental man). Could even stick the 'bad' names in DNS to do the
> distribution.
> 
> Suggestion: Don't listen to Niall O'Reilly - although he may be right.
> (tongue firmly stuck in cheek)
> 
> Note to self, run own recursive DNS resolver on my laptop whilst
> travelling in Italy.
> 
> 8.8.8.8 ?

Which is exactly why the DNS is the wrong level to do this at if
you have a legal obligation to block access.  The only way to do
that is to block the packets themselves.  Given these are gambling
sites the chance of collateral damage is minimal if you just block
all access to the ips in question.   Just make sure you can get
through to their nameservers so you can keep the list of IP addresses
to filter current.  

Mark

> --=20
>   .  .     ___. .__      Posix Systems - (South) Africa
>  /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
> / |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org