Re: Spyware blocking with HOSTS file on DNS server

From: David Glosser (david_glosser_at_yahoo.com)
Date: 02/01/05

  • Next message: Steve Gan: "RE: Exchange <--> Outlook Monitoring"
    Date: Mon, 31 Jan 2005 20:33:56 -0500
    To: Dan Lynch <dan.lynch@placer.ca.gov>, security-basics@securityfocus.com
    
    

    We've has this discussion on the "bleeding snort" malware forum, using
    "black hole" domains in an internal DNS server:
    http://www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98

    Also check out the "bleeding malware" snort ruleset.

    This site:
    http://pgl.yoyo.org/adservers/hosts2bind.ph
    converts host files to DNS zone entries. (Be careful with using loopback,
    as one person on the above forum mentioned that she toasted her
    proxy server by using 127.0.0.1)

    However, most host files contain ad servers such as doubleclick,
    which can't be blocked in a corporate environment.
    You're not alone in your request ;)

    Finally, please check out "Remote BHO Scanner":
    http://www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=427

    It's an ActivePerl program which scans a windows domain for unauthorized
    Browser Helper Objects. I'm looking for people to beta-test as well as Perl
    gurus to help improve the code.

    HTH
    Dave Glosser

    ----- Original Message -----
    From: "Dan Lynch" <dan.lynch@placer.ca.gov>
    To: <security-basics@securityfocus.com>
    Sent: Friday, January 28, 2005 1:44 PM
    Subject: Spyware blocking with HOSTS file on DNS server

    > Greetings list,
    >
    > Recent plagues of spyware/adware on our ~2000-client network has us
    > interested in strategies for eliminating it. One path we're
    > investigating is the use of compiled lists of known spyware/adware host
    > names in HOSTS file format that resolve them to loopback. But since all
    > our clients proxy web traffic through a central point, no name
    > resolution is ever done at the client and a HOSTS file would do us no
    > good at the desktop. Instead our proxy server performs all name
    > resolution against an internal DNS server. Also, we'd like to centrally
    > manage the solution. Questions follow:
    >
    > - list policies and practices
    > We'd like to find a compiled HOSTS file with clear policies and
    > transparent practices for inclusion and removal. Of the dozen or so
    > HOSTS files I've found, none seem to meet that desire. Anyone have
    > experience with a source that might be, um... "enterprise friendly"?
    > Fairly regular updates would be good too, but it seems easy to find
    > lists that are well maintained.
    >
    > - Loopback vs 0.0.0.0; connection use
    > It seems some HOSTS lists like to resolve names to loopback
    > (127.0.0.1), but others advocate resolving to 0.0.0.0. Which is better?
    > If resolving to loopback, do we have to wait for the connection to
    > timeout? But when resolving to 0.0.0.0, is the failure more immediate?
    > Since this would all be taking place at a fairly busy proxy server, what
    > would the impact of one or the other be to my connection pool?
    >
    > - HOSTS to zone conversion
    > Since our proxy is a closed-source appliance we may be unable to put a
    > HOSTS file on it. Further, if we can't make our DNS server pay attention
    > to its own HOSTS file I assume that we'd need to convert any list to a
    > zone file for import to the DNS server. New to me...any hints or tips
    > here? Should I make an effort to eliminate all the host names and just
    > pretend to be master of each adware domain? This is an oddball enough
    > situation that my introductory DNS skills can't figure out the best way
    > to do it. Any help would be appreciated.
    >
    > Any other gotchas or hints from the list are welcomed. I also welcome
    > reference to lists or forums more closely focused on this area of
    > interest.
    >
    > Thanks,
    >
    > Dan Lynch, CISSP
    > County of Placer
    > Auburn, CA


  • Next message: Steve Gan: "RE: Exchange <--> Outlook Monitoring"

    Relevant Pages

    • RE: Spyware blocking with HOSTS file on DNS server
      ... Spyware blocking with HOSTS file on DNS server ... names in HOSTS file format that resolve them to loopback. ... lists that are well maintained. ... If resolving to loopback, do we have to wait for the connection to ...
      (Security-Basics)
    • RE: Spyware blocking with HOSTS file on DNS server
      ... Spyware blocking with HOSTS file on DNS server ... lists that are well maintained. ... If resolving to loopback, do we have to wait for the connection to ...
      (Security-Basics)
    • Spyware blocking with HOSTS file on DNS server
      ... names in HOSTS file format that resolve them to loopback. ... lists that are well maintained. ... If resolving to loopback, do we have to wait for the connection to ... if we can't make our DNS server pay attention ...
      (Security-Basics)
    • Re: Spyware blocking with HOSTS file on DNS server
      ... Subject: Re: Spyware blocking with HOSTS file on DNS server ... Instead our proxy server performs all name ... >> lists that are well maintained. ...
      (Security-Basics)
    • Re: Hosts file ignored
      ... >> any of the entries I have made to the server's hosts file. ... >> I have verified that the DataBasePath registry key at ... >> I am not running a DNS server on my system. ... >> I can ping IP addresses without any problem, both on the LAN and on ...
      (microsoft.public.windows.server.general)