On Thu, 9 Nov 1995, boz boze ghandi wrote:
> On Nov 9, 9:20, Ralph Mitchell wrote:
> > Subject: Re: Restricting URL's
> > > Mike Culver wrote:
> > > >
> > > > To deny resolution to sex.com, simply add an entry to named.boot for
> > > > bogusns. This directive will tell your DNS that the name server for sex.com
> > > > is bogus, and your DNS will never ask sex.com's DNS anything.
> > >
> > > Nice idea, but... Most of these one-host-wonder sites actually
> > > use their ISP as a name server. Disallowing the ISPs name server
> > > is a bit drastic. Look at playboy.com for example...
> > Then how about putting an entry in my internal DNS that points sex.com to
> > either a non-existent internal address or to something like a PC running
> > Linux+httpd with a single web page that says "Gotcha !" ?? The outside
> > world can't see my internal DNS so I won't be polluting anyone elses DNS...
> > Of course the user could telnet to rs.internic.net and use whois to establish
> > the actual IP address...
> > Ralph Mitchell
> > -- End of excerpt from Ralph Mitchell <ralph @
> even simpler. a user could simply use nslookup providing any dns server
> non-internal. if resolution failed for me personally, regardless of dns
> failure or specific resolution denial, that would be my first reaction.
> why not filter out the ip of specific sites on the external routers? (i
> am relatively new to networking hardware and am unsure of the feasibility
> of this)
> -zach kelly
This should work, in theory. It does have some problems. One, IP addresses
may change while the name might not. This would tend to require a lot of
maintenance work trying to keep up with IP addresses either changed or
new. A more robust solution (IMHO) would be to have a list of banned names
and have an automated method of generating (and regularily re-generating)
the list of corresponding IP addresses for use as a part of a screening
router's configuration. This approach would have troubles with IP
addresses which corresponded to a site that you wanted to ban but which
was not registered in any DNS server. Also this (by itself) wouldn't
prevent use of whois or other similar tools to find out the IP address for
registered domains but it would prevent connections to the corresponding
hosts. With a little bit of work, it would seem possible to intercept and
redirect whois calls which referenced banned domains. This probably
would not accomplish much since it would still be possible to use
another system to do the whois or to request the IP address via e-mail.
Of course, it _might_ be effective in avoiding future attemps to get
to a banned site by the simple fact that such attempts would be logged
and reported for administrative action.
**** cjolley @
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****