Bind and blacklist IP file

Kalman Feher kalman.feher at melbourneit.com.au
Wed Oct 13 12:36:31 UTC 2010 



On 13/10/10 12:13 PM, "Andrey G. Sergeev" <andris at aernet.ru> wrote:

> Hello Alans,
> 
> 
> Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote:
> 
>> On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote:
>>> Hello Ian,
>>> 
>>> 
>>> Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote:
>>> 
>>>>> Ok, but you can always browse by IP address and in this case
>>>>> there is no DNS server than can stop you from browsing what you
>>>>> want.
>>>> 
>>>> Vaguely related, are host headers - a lot of webservers share an
>>>> IP address/many IP addresses and use host headers to 'display' the
>>>> correct website.
>>>> 
>>>> You wouldn't be able to browse a particular website hosted in this
>>>> fashion, by IP address.
>>> 
>>> If you know the website domain and the corresponding IP address and
>>> if your ISP prevents you from accessing this website by timing out
>>> or tampering DNS query results you can always put the entry like
>>> 
>>> 192.168.10.20   www.domain.tld.
>>> 
>>> to your hosts file and access the site.
>>> 
>>> This technique is also in use when someone needs to access the site
>>> which is on a not delegated domains.
>>> 
>> Even this way, you should know all the IP of subdomains to work
>> properly. Try it for facebook, open homepage fine but once you login
>> it will fail.
> 
> If you can query at least one of the authoritative NS for the domain in
> question then you would have no problems determining the IP addresses
> you might need.
> 
The straight forward answer to the original question is that BIND RPZ
features will allow you to isolate domains as requested. Noting that this is
_just_ DNS and as others have mentioned, that's hardly a solid wall of
unavailability for your blacklisted sites.


>> Another thing, we are talking about a technical person, for other
>> users they don't know about hosts file or they don't have access to
>> change it even it they know about it.
> 
> Sure but please don't forget about the average level of computer skills
> of the audience the most "underground" sites have.


 

-- 
Kal Feher

More information about the bind-users mailing list