On Tue, Dec 19, 2017 at 02:58:57PM +0500,
Tariq Saraj <[email protected]> wrote
a message of 1158 lines which said:
> using a firewall based on domain names can be simply bypassed by
> accessing websites through IP address.
No, no, this is absolutely not what I was talking about. Instead, I
referred to:
> Second, there are some firewalls such as Cisco and Kaspersky that handle
> this situation when someone configure a firewall rule based on domain name,
> it automatically resolves the IPv4 and IPv6 addresses for that domain and
> update the firewall rules so that it cannot be bypassed through accessing a
> server through IP based.
Exactly.
> But, these are highly expensive firewalls and normally not
> affordable for every organization.
Any 50 US $ OpenWRT router can do it (iptables accepts domain names).
% sudo iptables -A OUTPUT -d www.example.com -j DROP
% sudo iptables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 184 packets, 22306 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0
93.184.216.34
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
