need help with trying to redirect to different IP

  • Thread starter Thread starter Bobby Bradshaw
  • Start date Start date
B

Bobby Bradshaw

Is there a way to input an entry into DNS to put a wrong IP address of a
website to block someone from accessing it?? For example; If I want to make
people not be able to visit www.msn.com in our company, is there a way I can
add a entry into DNS saying www.msn.com is IP: 10.10.10.1, when it is not,
making a "Page Not Found" page come up. I'm sure there is a way to do this,
but I can't figure it out.

Someone please advise.
 
DNS is the wrong tool. Proxy, yeah.

But IF I were tight on budget and I have a webserver, then here's how I'd
use DNS to an advantage.
In the Webserver, create a website for each of the site you wish to block.
Use host headers to map all the sites to 1 IP address (so you don't go
wasting IP :))
On each website, make a default page that says "Page Not Found"
Then in DNS, create a zone for each of the websites you want to block and
map each to the single IP address you used on your webserver.

I hope you won't go this route because it wil be tedious since you will have
to create a lot of these. Also, you may find yourself chasing your tails.
your productivity and sanity may take a plunge.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
You should be able to block access to whatever sites you like if you have a
good firewall and/or proxy server.

Other than that, you could try the cheap & cheerful route of using a hosts
file on each computer that directs www.msn.com to 127.0.0.1, and so
forth...this is a pain in the butt, tho, and the users may be clever enough
to bypass it.
 
Yes, it can be done with DNS, but not easily with Microsoft DNS.

While Deji and Lanwench are correct that this can be done (maybe
better) with a Proxy or Router/Firewall filter there is nothing particularly
wrong about doing it with DNS -- just another choice.

You will need BIND DNS or something like DNSKong.
(You could use the HOSTS file as many people do but that really is a
BAD IDEA due to performance.)

A good proxy FOCUSED on this idea is Privoxy (SourceForge.net)
and it can work in conjunction with another Proxy such as ISA so you
don't have to give up the other.

DNSKong
http://www.pyrenean.com/dnsk.php

ISC BIND
http://www.isc.org/index.pl?/sw/bind/

BIND-PE
http://ntcanuck.com/downloads.htm
http://members.shaw.ca/BIND-PE_and_ICS/

The last link may be the best for you and NTCanuck (the author) posts
around here at times.
 
:
: You should be able to block access to whatever sites you like if you have
a
: good firewall and/or proxy server.
:
: Other than that, you could try the cheap & cheerful route of using a hosts
: file on each computer that directs www.msn.com to 127.0.0.1, and so
: forth...this is a pain in the butt, tho, and the users may be clever
enough
: to bypass it.

You said 'users' and 'clever' in the same sentence without using
'devilishly'.
 
:
: Yes, it can be done with DNS, but not easily with Microsoft DNS.

Why not? If you can do it in a HOSTS file, why not just add address entries
to your DNS and point them to 127.0.0.2?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
:
: Is there a way to input an entry into DNS to put a wrong IP address of a
: website to block someone from accessing it?? For example; If I want to
make
: people not be able to visit www.msn.com in our company, is there a way I
can
: add a entry into DNS saying www.msn.com is IP: 10.10.10.1, when it is not,
: making a "Page Not Found" page come up. I'm sure there is a way to do
this,
: but I can't figure it out.

Bobby...

If you're willing to spend a little, this can solve your issues:
http://www.surfcontrol.com/products/total_filtering.aspx

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
Roland Hall said:
:
: Yes, it can be done with DNS, but not easily with Microsoft DNS.
Why not? If you can do it in a HOSTS file, why not just add address entries
to your DNS and point them to 127.0.0.2?
Click to expand...

Because the hosts file has nothing to do with the DNS SERVER.

Hosts resolution is a distinct method from DNS resolution (although often
lumped together in casual speech or by those who misunderstand the actual
mechanics.)

DNS servers do NOT return a resolution from the "hosts" file -- that file is
only used when the (server) machine resolves addresses for ITSELF -- as
a DNS or IP client.

The hosts file remains a very POOR way to do this also. It's only
recommendation
is that it is the easiest to setup initially, requiring no server and no
additional
software on the client -- but it is workable for a few entries or testing.

It is suitable for at most a small number of listings but the people that do
this
seriously, typically add on the order of 100,000 entries and it takes up to
an
hour to initialize the IP stack (the DNS client service actually.)

The DNS client service loads the entire hosts file into memory and any
change
to that host file requires a complete reload sending the CPU to 100% for
some
time.
 
:
: "Roland Hall" wrote:
: > "Herb Martin" wrote:
: > : Yes, it can be done with DNS, but not easily with Microsoft DNS.
: > Why not? If you can do it in a HOSTS file, why not just add address
: entries
: > to your DNS and point them to 127.0.0.2?
:
: Because the hosts file has nothing to do with the DNS SERVER.

Herb...

I understand how the HOSTS file and DNS work. Let me see if I can clear up
some confusion re: what I asked.
In a split horizon, where two domains are the same, how do you get to a
hosted web site? You create a DNS A record for your external web site.
Yes, you would have to create a zone but most SPAM points to the same
domain, no matter who it comes from. Putting entries in your HOSTS file for
these FQDNs and pointing them to 127.0.0.2 will eliminate email with images
pointing back to the site and allowing them to track it. First let me say,
I am a believer that plain text email is an easier solution. But, IF it can
work in HOSTS files, then why can it not work in DNS for a whole company?
Add a zone, put in an entry and point it to 127.0.0.2.

I am not trying to load the HOSTS file into DNS. One would think you could
easily script this with a honey email address to capture SPAM and update the
DNS. I still think plain text email is a better solution for many reasons
but what are the ramifications of doing this in DNS and will it actually
work?

Your comments appreciated.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
:
: "Herb Martin" wrote:
: : "Roland Hall" wrote:
: : > "Herb Martin" wrote:
: : > : Yes, it can be done with DNS, but not easily with Microsoft DNS.
: : > Why not? If you can do it in a HOSTS file, why not just add address
: : entries
: : > to your DNS and point them to 127.0.0.2?
: :
: : Because the hosts file has nothing to do with the DNS SERVER.
:
: Herb...
:
: I understand how the HOSTS file and DNS work. Let me see if I can clear
up
: some confusion re: what I asked.
: In a split horizon, where two domains are the same, how do you get to a
: hosted web site? You create a DNS A record for your external web site.
: Yes, you would have to create a zone but most SPAM points to the same
: domain, no matter who it comes from. Putting entries in your HOSTS file
for
: these FQDNs and pointing them to 127.0.0.2 will eliminate email with
images
: pointing back to the site and allowing them to track it. First let me
say,
: I am a believer that plain text email is an easier solution. But, IF it
can
: work in HOSTS files, then why can it not work in DNS for a whole company?
: Add a zone, put in an entry and point it to 127.0.0.2.
:
: I am not trying to load the HOSTS file into DNS. One would think you
could
: easily script this with a honey email address to capture SPAM and update
the
: DNS. I still think plain text email is a better solution for many reasons
: but what are the ramifications of doing this in DNS and will it actually
: work?
:
: Your comments appreciated.

Disregard: It looks like Ace answered it on this thread:

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
I am not trying to load the HOSTS file into DNS. One would think you
could
easily script this with a honey email address to capture SPAM and update the
DNS. I still think plain text email is a better solution for many reasons
but what are the ramifications of doing this in DNS and will it actually
work?
Click to expand...

The issue is that you cannot load Windows DNS with any records unless
you create/hold a zone for that record.

BIND and other (Proxy etc) methods allow us to pick off specific DNS
names without wiping out entire zones (like the Ad servers from some
domains without affecting out ability to contact useful resource servers
there.)

Sure you can script the conversion -- I use what typically starts as a host
file maintained by others -- and use Perl to script it into BIND cache file
format.

Even though I disapprove of using the Hosts file for this, it is clear that
others
disagree and do indeed use it.
 
In
Roland Hall said:
Disregard: It looks like Ace answered it on this thread:
news:#[email protected]
Click to expand...

Thanks!

Plus would suggest to use ISA or some other tool to do this, including
Surfcontrol, which is what you suggested in this thread. Nice tool.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
"Ace Fekay [MVP]"
message : In : Roland Hall <nobody@nowhere> posted their thoughts, then I offered mine
: > "Roland Hall" wrote:
: >> "Herb Martin" wrote:
: >>> "Roland Hall" wrote:
: >>>> "Herb Martin" wrote:
: >>>>> Yes, it can be done with DNS, but not easily with Microsoft DNS.
: >>>> Why not? If you can do it in a HOSTS file, why not just add
: >>>> address entries to your DNS and point them to 127.0.0.2?
: >>>
: >>> Because the hosts file has nothing to do with the DNS SERVER.
: >>
: >> Herb...
: >>
: >> I understand how the HOSTS file and DNS work. Let me see if I can
: >> clear up some confusion re: what I asked.
: >> In a split horizon, where two domains are the same, how do you get
: >> to a hosted web site? You create a DNS A record for your external
: >> web site. Yes, you would have to create a zone but most SPAM points
: >> to the same domain, no matter who it comes from. Putting entries in
: >> your HOSTS file for these FQDNs and pointing them to 127.0.0.2 will
: >> eliminate email with images pointing back to the site and allowing
: >> them to track it. First let me say, I am a believer that plain text
: >> email is an easier solution. But, IF it can work in HOSTS files,
: >> then why can it not work in DNS for a whole company? Add a zone, put
: >> in an entry and point it to 127.0.0.2.
: >>
: >> I am not trying to load the HOSTS file into DNS. One would think
: >> you could easily script this with a honey email address to capture
: >> SPAM and update the DNS. I still think plain text email is a better
: >> solution for many reasons but what are the ramifications of doing
: >> this in DNS and will it actually work?
: >>
: >> Your comments appreciated.
: >
: > Disregard: It looks like Ace answered it on this thread:
: > :
: Thanks!
:
: Plus would suggest to use ISA or some other tool to do this, including
: Surfcontrol, which is what you suggested in this thread. Nice tool.

Easy way out you know. Sometimes money can solve everything. It is a nice
tool and easy to block the COO from day trading and hanging out at the
sports sites. (O:=
I'm not up on ISA *cough* as I should be but would be interested in doing
this as an application, if for no other reason than educational. *putting
it on my list*
 
: > I am not trying to load the HOSTS file into DNS. One would think you
: could
: > easily script this with a honey email address to capture SPAM and update
: the
: > DNS. I still think plain text email is a better solution for many
reasons
: > but what are the ramifications of doing this in DNS and will it actually
: > work?
:
: The issue is that you cannot load Windows DNS with any records unless
: you create/hold a zone for that record.
:
: BIND and other (Proxy etc) methods allow us to pick off specific DNS
: names without wiping out entire zones (like the Ad servers from some
: domains without affecting out ability to contact useful resource servers
: there.)
:
: Sure you can script the conversion -- I use what typically starts as a
host
: file maintained by others -- and use Perl to script it into BIND cache
file
: format.
:
: Even though I disapprove of using the Hosts file for this, it is clear
that
: others
: disagree and do indeed use it.

I hear what you're saying but perhaps we're not on the same page. This is
something I'm putting on my research list:

1. Create a honey-pot email address.
2. Grab incoming email with a script
3. Grab the links
4. Parse out the domains
5. Resolve the IPs
6. Update DNS with a new zone
7. If the domain is not in my index that I keep, add the addresses
8. Test to see if I have actually blocked myself from reaching them.

Remember, I'm doing this on the private network. My DNS is NOT going to use
root hints (since I don't have any forwarders) if it finds it locally. I'm
telling it this domain is local and I'm providing a local address. It [DNS]
doesn't check to see if I'm the SOA if I tell it that I am. Nobody on the
Internet will have any issues because they will never be looking at my
private DNS for name resolution for public addressing. Having not tested
yet, I fail to see any ramifications but are you telling me AD will take
issue when this doesn't relate to AD?

I've already tested it with HOSTS files but who would want to have to
maintain numerous HOSTS files when you could make a single entry into DNS
for everyone?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
 
I hear what you're saying but perhaps we're not on the same page. This is
something I'm putting on my research list:
Click to expand...

You're in the same book but on a later page (to torture the analogy.)
1. Create a honey-pot email address.
2. Grab incoming email with a script
3. Grab the links
4. Parse out the domains
5. Resolve the IPs
6. Update DNS with a new zone
Click to expand...

Part of the problem here is that you take out everything in that zone;
Imagine all the Angelfire, or whatever with thousands of links.

Instead of making a zone, why not just take out THOSE url servers?
You can do this by adjusting the CACHE -- BIND allows this.
7. If the domain is not in my index that I keep, add the addresses
8. Test to see if I have actually blocked myself from reaching them.
Click to expand...

But, I ignored (so far) a bigger problem: Must spam will include both
USEFUL and DANGEROUS (or merely undesirable) links. You now
much keep a near infinite list of "good places", especially zone bad with
zone wide blocks.
Remember, I'm doing this on the private network. My DNS is NOT going to use
root hints (since I don't have any forwarders) if it finds it locally. I'm
telling it this domain is local and I'm providing a local address. It [DNS]
doesn't check to see if I'm the SOA if I tell it that I am. Nobody on the
Internet will have any issues because they will never be looking at my
private DNS for name resolution for public addressing. Having not tested
yet, I fail to see any ramifications but are you telling me AD will take
issue when this doesn't relate to AD?
Click to expand...

I always assumed this was internal only -- in fact it worries me just a
smidge
that you didn't take that as a given.
I've already tested it with HOSTS files but who would want to have to
maintain numerous HOSTS files when you could make a single entry into DNS
for everyone?
Click to expand...

This is essentially what I am doing (earlier page in the book <grin>)
without
the dynamic update based on SPAM. I just manually update the BIND
cache file from time to time -- mostly using one created by LOTS of other
people who have similar criteria to mine.

You wish to automate it and I find that a useful -- but likely very
difficult -- goal.
 
In
Roland Hall said:
Easy way out you know. Sometimes money can solve everything. It is
a nice tool and easy to block the COO from day trading and hanging
out at the sports sites. (O:=
I'm not up on ISA *cough* as I should be but would be interested in
doing this as an application, if for no other reason than
educational. *putting it on my list*
Click to expand...

You'll actually like it. Very powerful tool. But I believe with Surfcontrol
(I think mentioned earlier) that you can subscribe to a banned site list
that gets updated weekly. I'm not sure if there is a subscription service
that works for ISA at this time, unless I'm mistaken

:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
"Ace Fekay [MVP]"
message : In : Roland Hall <nobody@nowhere> posted their thoughts, then I offered mine
: >>
: >> Thanks!
: >>
: >> Plus would suggest to use ISA or some other tool to do this,
: >> including Surfcontrol, which is what you suggested in this thread.
: >> Nice tool.
: >> Ace
: >
: > Easy way out you know. Sometimes money can solve everything. It is
: > a nice tool and easy to block the COO from day trading and hanging
: > out at the sports sites. (O:=
: > I'm not up on ISA *cough* as I should be but would be interested in
: > doing this as an application, if for no other reason than
: > educational. *putting it on my list*
:
: You'll actually like it. Very powerful tool. But I believe with
Surfcontrol
: (I think mentioned earlier) that you can subscribe to a banned site list
: that gets updated weekly. I'm not sure if there is a subscription service
: that works for ISA at this time, unless I'm mistaken

I used it when it was SuperScout, now SurfControl * (Web Filter). It had an
annual subscription service where they would provide you a list of banned
sites that you could then use along with your custom entries, kinda' like a
spelling checker with a custom dictionary idea.
 
In
Roland Hall said:
I used it when it was SuperScout, now SurfControl * (Web Filter). It
had an annual subscription service where they would provide you a
list of banned sites that you could then use along with your custom
entries, kinda' like a spelling checker with a custom dictionary idea.
Click to expand...

So they were the same product? Didn't realize that!
:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top