Go into your recursive DNS server. Add a blank authoritative forward zone for google.com. Boom, it's dead to you.
---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- > boun...@puck.nether.net] On Behalf Of Matthew Park > Sent: Thursday, February 09, 2012 12:49 PM > To: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] Filtering traffic to destinations based off of > DNSaddresses on an ASA? > > Steve, > Will this just block URLs or can it block all traffic to a domain? The > latter is what I'm looking for. > Say block ALL traffic (make a domain "Dead to me") to google.com (no > ping, nothing to mail.google.com, maps.google.com.. etc.) > > Thanks for the quick reply! > > --Matthew Park > > -----Original Message----- > From: Steve McCrory [mailto:smccr...@gcicom.net] > Sent: Thursday, February 09, 2012 10:37 AM > To: Matthew Park; cisco-nsp@puck.nether.net > Subject: RE: [c-nsp] Filtering traffic to destinations based off of > DNSaddresses on an ASA? > > Matthew, > > There is a URL filtering feature on the ASA which should be suffice for > your requirements and does not require additional licenses. It is, > however, limited to 100 URLs max. > > A good guide can be found here: > > https://supportforums.cisco.com/docs/DOC-1268 > > Below is a copy of the configuration we had to block access to facebook > and youtube. I've listed the commands backwards from applying the > service-policy to the interface. Hopefully you will be able to follow > it but feel free to ask any questions you may have: > > service-policy inside-policy interface inside ! > policy-map inside-policy > class httptraffic > inspect http http_inspection_policy > ! > class-map httptraffic > match access-list inside_URL-block > ! > access-list inside_URL-block extended permit tcp any any eq www access- > list inside_URL-block extended permit tcp any any eq 8080 ! > policy-map type inspect http http_inspection_policy parameters class > BlockDomainsClass > reset log > match request method connect > drop-connection log > ! > class-map type inspect http match-all BlockDomainsClass match request > header host regex class DomainBlockList ! > class-map type regex match-any DomainBlockList match regex domainlist1 > match regex domainlist2 ! > regex domainlist1 "\.facebook\.com" > regex domainlist2 "\.youtube\.com" > > > Couple of extra things you may be interested to know: > > - You can add additional URLs to the filter by defining them with a > regex and then referencing that regex in the class-map DomainBlockList > - If you wanted to bypass this filter for a particular user, you can > add a deny statement for their IP addresses to the beginning of the > inside_URL-block ACL. This obviously requires that they have a static > IP address. > > Regards > > Steven > > > -----Original Message----- > From: cisco-nsp-boun...@puck.nether.net > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Matthew Park > Sent: 09 February 2012 16:29 > To: cisco-nsp@puck.nether.net > Subject: [c-nsp] Filtering traffic to destinations based off of > DNSaddresses on an ASA? > > Hello all, > Does anyone know of a good way to make a filter (access-list or > whatever) on a Cisco ASA 5510 using a DNS address as the destination > rather than a set of IP addresses? > > For example, block any internal hosts from browsing to > www.microsoft.com even though they have several webservers mapped to > that DNS address, essentially "blacklisting" www.microsoft.com from the > company. > > I found Cisco's "Botnet Filter" that looks like it might work, but > before I buy a license for it, I was curious as to anyone else's > experiences with this filter or another method for accomplishing this? > > Matthew Park > Senior Systems Administrator > Exelis Visual Information Solutions > matthew.p...@exelisvis.com > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > This email has been swept by Webroot for viruses. Any files transmitted > with it are confidential and intended solely for the email recipient. > If you are not the intended recipient please delete this email > immediately. > Be aware that any disclosure, copying, distribution or use of the > contents of this information is prohibited. If you have received this > email in error please notify the system administrator. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the company. Finally, > the recipient should check this email and any attachments for the > presence of viruses. > > > GCI Com incorporates the following Group Companies: > GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd > Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures > Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd > Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in > England and Wales, Registered Office: Global House, 2 Crofton Close, > Lincoln, LN3 4NT > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/