Security Basics mailing list archives
RE: Spyware blocking with HOSTS file on DNS server
From: "Andrew Shore" <andrew.shore () holistecs com>
Date: Tue, 1 Feb 2005 09:33:00 -0000
I have to agree, staying on top of a tack like this is a huge commitment and one you'll probably never achieve. There are more and more of these site springing up every day. I would recommend Websense with the spyware module. Just my 2 cents but I think you're barking up the wrong tree. Andy -----Original Message----- From: Johnson, Joey [mailto:Joey.Johnson () MWAA com] Sent: 28 January 2005 20:39 To: Dan Lynch; security-basics () securityfocus com Subject: RE: Spyware blocking with HOSTS file on DNS server Any particular reason you don't want to manage all this yourself manually? There are several good enterprise level solutions out there. Some of them free. You mentioned you're in a Windows domain so have a browse at this site and go from there? http://www.winnetmag.net/WindowsSecurity/Article/ArticleID/44624/44624.h tml -----Original Message----- From: Dan Lynch [mailto:dan.lynch () placer ca gov] Sent: Friday, January 28, 2005 1:45 PM To: security-basics () securityfocus com Subject: Spyware blocking with HOSTS file on DNS server Greetings list, Recent plagues of spyware/adware on our ~2000-client network has us interested in strategies for eliminating it. One path we're investigating is the use of compiled lists of known spyware/adware host names in HOSTS file format that resolve them to loopback. But since all our clients proxy web traffic through a central point, no name resolution is ever done at the client and a HOSTS file would do us no good at the desktop. Instead our proxy server performs all name resolution against an internal DNS server. Also, we'd like to centrally manage the solution. Questions follow: - list policies and practices We'd like to find a compiled HOSTS file with clear policies and transparent practices for inclusion and removal. Of the dozen or so HOSTS files I've found, none seem to meet that desire. Anyone have experience with a source that might be, um... "enterprise friendly"? Fairly regular updates would be good too, but it seems easy to find lists that are well maintained. - Loopback vs 0.0.0.0; connection use It seems some HOSTS lists like to resolve names to loopback (127.0.0.1), but others advocate resolving to 0.0.0.0. Which is better? If resolving to loopback, do we have to wait for the connection to timeout? But when resolving to 0.0.0.0, is the failure more immediate? Since this would all be taking place at a fairly busy proxy server, what would the impact of one or the other be to my connection pool? - HOSTS to zone conversion Since our proxy is a closed-source appliance we may be unable to put a HOSTS file on it. Further, if we can't make our DNS server pay attention to its own HOSTS file I assume that we'd need to convert any list to a zone file for import to the DNS server. New to me...any hints or tips here? Should I make an effort to eliminate all the host names and just pretend to be master of each adware domain? This is an oddball enough situation that my introductory DNS skills can't figure out the best way to do it. Any help would be appreciated. Any other gotchas or hints from the list are welcomed. I also welcome reference to lists or forums more closely focused on this area of interest. Thanks, Dan Lynch, CISSP County of Placer Auburn, CA
Current thread:
- RE: Spyware blocking with HOSTS file on DNS server Johnson, Joey (Jan 31)
- <Possible follow-ups>
- Re: Spyware blocking with HOSTS file on DNS server David Glosser (Feb 01)
- RE: Spyware blocking with HOSTS file on DNS server Andrew Shore (Feb 01)
- RE: Spyware blocking with HOSTS file on DNS server Dan Lynch (Feb 02)
- RE: Spyware blocking with HOSTS file on DNS server Barrie Dempster (Feb 03)
- Re: Spyware blocking with HOSTS file on DNS server David Glosser (Feb 02)