Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Spyware blocking with HOSTS file on DNS server

from [Dan Lynch] Network Security [Permanent Link]
Subject: Spyware blocking with HOSTS file on DNS server
Date: Fri, 28 Jan 2005 10:44:47 -0800 
Greetings list,

Recent plagues of spyware/adware on our ~2000-client network has us
interested in strategies for eliminating it. One path we're
investigating is the use of compiled lists of known spyware/adware host
names in HOSTS file format that resolve them to loopback. But since all
our clients proxy web traffic through a central point, no name
resolution is ever done at the client and a HOSTS file would do us no
good at the desktop. Instead our proxy server performs all name
resolution against an internal DNS server. Also, we'd like to centrally
manage the solution. Questions follow:

- list policies and practices
We'd like to find a compiled HOSTS file with clear policies and
transparent practices for inclusion and removal. Of the dozen or so
HOSTS files I've found, none seem to meet that desire. Anyone have
experience with a source that might be, um... "enterprise friendly"?
Fairly regular updates would be good too, but it seems easy to find
lists that are well maintained.

- Loopback vs 0.0.0.0; connection use
It seems some HOSTS lists like to resolve names to loopback
(127.0.0.1), but others advocate resolving to 0.0.0.0. Which is better?
If resolving to loopback, do we have to wait for the connection to
timeout? But when resolving to 0.0.0.0, is the failure more immediate?
Since this would all be taking place at a fairly busy proxy server, what
would the impact of one or the other be to my connection pool?

- HOSTS to zone conversion
Since our proxy is a closed-source appliance we may be unable to put a
HOSTS file on it. Further, if we can't make our DNS server pay attention
to its own HOSTS file I assume that we'd need to convert any list to a
zone file for import to the DNS server. New to me...any hints or tips
here? Should I make an effort to eliminate all the host names and just
pretend to be master of each adware domain? This is an oddball enough
situation that my introductory DNS skills can't figure out the best way
to do it. Any help would be appreciated.

Any other gotchas or hints from the list are welcomed. I also welcome
reference to lists or forums more closely focused on this area of
interest.

Thanks,

Dan Lynch, CISSP
County of Placer
Auburn, CA
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PKI Documentation, Rob McShinsky
Next by Date:  RE: Exchange <--> Outlook Monitoring, Eric McCarty
Previous by Thread:  PKI Documentation, Rob McShinsky
Next by Thread:  RE: Spyware blocking with HOSTS file on DNS server, Johnson, Joey
Indexes:  [Date] [Thread] [Top] [All Lists]