Something like this will probably work well for most say small to medium sized sites, with the big sites there is no guarantee. Their DNS names will in the case of some large sites resolve to a selection of the actual server address and be rotated with each client query, a good clue a site is quite possibly doing something like that is when you query the name of a large well known site with a tool like dig and find you get a reply back with a TTL of something really short like 300 secs max, generally a setting that low is for one of two reasons 1) They are using rapid cycling Name->IP mapping or 2) It's a dynamic DNS name. When it's a major organization though is pretty clear which is likely.
Some even will only give out a single IP despite having entire blocks of them, not so clever IMO there is a reason to provide several, fallback if a connection attempt fails. Google for example usually hands out a set of 5, Facebook will only give you 1, though will be gone from your cache in 60secs anyway in which case you may get a new one that way. Like the example bellow, .27 first try, minute later expires and it's .21, I know if it was me and I was trying to block them would be more like just give up and drop 69.171.224.0/19. Anyway was just something I wanted to highlight for anyone intending on making use of such a feature it's got a good potential to break on larger sites or sites which are actively evasive of censorship. My suggestion for anyone wanting to block DNS names would be to do so through DNS, run a local caching resolver either dnsmasq (Easier for the average user most likely especially with it's easy configuration for overriding names etc), or bind is perfectly capable of being used in this way, just create a master zone in the bind config file for the domain you want to block either empty so it will return NXDOMAIN or redirect it to an IP of your choice with an actual zonefile, either way it will cause the local bind server to consider itself authoritative for the name and thus return the configured address instead of looking it up. Once you have that set up, make sure that your resolv.conf is set up to use the local DNS server, can use resolvconf to do this especially if you get your DNS servers from your ISP via DHCP, resolvconf can generate the configuration to automatically set those forwarders up in either bind or dnsmasq and set resolv.conf to point to the local DNS server instead. If you need the additional level of protection ie to defend against deliberate circumvention rather than mere accidental access where this would likely have you set already but you can set shorewall to drop all outgoing DNS queries *except* those originating from the daemon user your caching DNS server runs as. zeus bin # dig www.facebook.com IN A; sleep 60; dig www.facebook.com IN A ; <<>> DiG 9.9.2 <<>> www.facebook.com IN A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50361 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.facebook.com. IN A ;; ANSWER SECTION: www.facebook.com. 1096 IN CNAME star.c10r.facebook.com. star.c10r.facebook.com. 60 IN A 69.171.242.27 ;; AUTHORITY SECTION: c10r.facebook.com. 37993 IN NS b.ns.c10r.facebook.com. c10r.facebook.com. 37993 IN NS a.ns.c10r.facebook.com. ;; ADDITIONAL SECTION: a.ns.c10r.facebook.com. 37993 IN A 69.171.239.11 b.ns.c10r.facebook.com. 37993 IN A 69.171.255.11 ;; Query time: 60 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Feb 28 02:14:03 2013 ;; MSG SIZE rcvd: 152 ; <<>> DiG 9.9.2 <<>> www.facebook.com IN A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17328 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.facebook.com. IN A ;; ANSWER SECTION: www.facebook.com. 1031 IN CNAME star.c10r.facebook.com. star.c10r.facebook.com. 60 IN A 69.171.242.21 ;; AUTHORITY SECTION: c10r.facebook.com. 37929 IN NS b.ns.c10r.facebook.com. c10r.facebook.com. 37929 IN NS a.ns.c10r.facebook.com. ;; ADDITIONAL SECTION: a.ns.c10r.facebook.com. 37929 IN A 69.171.239.11 b.ns.c10r.facebook.com. 37929 IN A 69.171.255.11 ;; Query time: 59 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Feb 28 02:15:07 2013 ;; MSG SIZE rcvd: 152 On 28/02/13 00:49, Benny Pedersen wrote: > John Brendler skrev den 2013-02-28 00:39: > >> By the way, dnsmasq is being modified to be able to populate ipsets >> based on name resolution. For example, you could allow or deny a set >> containing all addresses a given URL is actively resolved to. > is the same as rpz policy zone in bind ? > > neat that bind is not the only one so :) > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
