Eric,
> I wrote up a quick note on what we do at:
>
> http://www.roxanne.org/~eric/blaster.html
Quote from "Known Issues":
"One of the unfortunate side effects of it is that some spyware/adware either
overrides your DNS settings with their own or makes an HTTP call to their website
before allowing the browser to download a page normally."
A different way to tackle this problem (instead of the dns views approach), is to do
it at a lower level. Something like Cisco's SSG (*) can be used to do the equivilant
of DNAT for a specified set of source addressees.
This being a static configuration, I wonder if SSG's original purpose can be used as a
solution which does not need DHCP. In this case, all network users would, by default,
be redirected to a "verification website" (whatever verification method is used to
determine whether this host is infected), after which the user is allowed to pass
through the gateway without manipulating the packets IF the box was confirmed clean.
On a seperate note, with the complexity of setting up ssg aside, you can easily
implement something like this using iptables' REDIRECT target. ("iptables -s
10.0.0.0/8 -j REDIRECT ..." or something)
~Hani Mustafa
(*) http://www.cisco.com/warp/public/cc/pd/as/6400/prodlit/ssgw_ds.htm
