Solved

Force DNS to return unknown domain?

Posted on 2002-04-30
19
297 Views
Last Modified: 2010-03-18
25% of our bandwith at work is used up by banner ads, cookies, and the rest of the junk filling the net.

I've come across a good listing of servers that only serve up junk.

Is there a way to add those to our DNS server and force the server to return that it's an unknown domain, so that when a webpage tries to pull an ad from ad.doubleclick.net, the banner ad is empty because the PC thinks that ad.doubleclick.net does not exist?

I could add ad.doubleclick.net to our firewall, and block it there, but Internet Explorer tries to hit the site over and over many times, causing a lot of local traffic, as well has having the user's browser hang while waiting for the site to respond. I dont like that option.

Next, I tried adding all the domains in our DNS and have them point to a server not running Apache, but then it causes a lot of dead hits to hit that server, and theres still the local traffic problem, and Explorer hanging while it waits for a response.

Next... have it point to 127.0.0.1... solves the traffic problem, but explorer still hangs.

The fastest response from IE is if you give it a dead domain. Put http://thisdomain.doesntexist1.com in IE and it pops back immediately that theres nothing there. If I could have our DNS server return that theres no DNS record for ad.doubleclick.net (as well as a huge list of other domains) that would solve the problem. Is there an easy way to do this?
0
Comment
Question by:edskee
  • 6
  • 4
  • 2
  • +6
19 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I can't think of an easy way to do that at the DNS level, but it would be pretty trivial to redirect all traffic to those IP's to an internal server that returns an empty page. If your firewall is running iptables you could use DNAT to do the redirect. The web server would would need a wildcard redirect pointing to an empty page.
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
How would you do the wildcard redirect on the webserver?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
I'd go with the fake server returning emty pages:
AFAIK apache can be configured to return the same page for any URL, it also has virtual domains. That's all you need (beside the DNAT in your firewall).
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
Hmm... this doesnt seem to redirect the traffic... any idea why?

iptables -t nat -I PREROUTING -i eth0 -p tcp -d <test address to block> --dport 80 -j DNAT --to <internal webserver>:80

It just hangs and never redirects... eventually IE times out.

is that syntax right?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
you need the other way around too:

iptables -t nat -I POSTROUTING -s internal-webserver -d -d your-LAN/24 --to test-address --sport 80 -j SNAT
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
Ok, heres what I have, and its not working:

Internal webserver: 192.168.1.15
Test IP to block (my home webserver): 68.33.80.37

iptables -t nat -I PREROUTING -p tcp -d 68.33.80.37 --dport 80 -j DNAT --to 192.168.1.15:80

iptables -t nat -I POSTROUTING -p tcp -s 192.168.1.15 --sport 80 -d 192.168.0.0/16 -j SNAT --to 68.33.80.37

That SHOULD be saying:
Anything going to 68.33.80.37 port 80 is redirected to 192.168.1.15 port 80, by NATing the destination address

And anything coming from 192.168.1.15 port 80, going to the internal LAN, has it's source address masked as to appear to be coming from 68.33.80.37

Right?

So why doesnt it work? I'm going nuts now...
0
 
LVL 4

Expert Comment

by:MFCRich
Comment Utility
Have you considered junkbuster (www.junkbuster.com). It a web-proxy that filters out webs sites. Its default configuration file comes with scores of sites with ads.
0
 
LVL 2

Expert Comment

by:pheur
Comment Utility
If you considered the firewall solution, here is the missing thing: return error, don't just drop the packets. Returning error will not make your browser hang. For iptables, add the  "--reject-with tcp-reset"  and target REJECT.

Also, you may consider masquerading/DNAT-ing those servers to an internal server that always return an empty page (use mod_rewrite for that).

Or use transparent proxy to redirect all the traffic to a web proxy/cache that takes care of removing the banner ads.
JunkBuster was suggested above.

All these are more simple than the DNS blackholing.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
Yes, but HOW do I NAT it over? Every time I've ever tried to redirect a connection internally, it never worked. I can redirect a connection hitting my firewall, from the net, to a server behind it, but when I try and redirect an outgoing packet to another machine on the inside, it hangs. Even with apparently good DNAT and SNAT statements.

Can someone give me an example of the iptables commands necessary to do the following:

Firewall: 192.168.1.1
Internal webserver: 192.168.1.20
My internal PC: 192.168.1.99

I'm trying to go to internet site 1.2.3.4, but I want the firewall to catch it and send it instead to the webserver 192.168.1.20

I havent been able to get that to work to save my life. I can use REDIRECT to send it to another port on the firewall... but I dont want to run a webserver on the firewall. I cannot DNAT it to a seperate internal server at all... it always just hangs. Pings work, but telnets, https, sshs, etc all never get a response.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 2

Expert Comment

by:pheur
Comment Utility
Your problem is that the internal server has a direct route to the client. And it's not on the forward path, it's on the return path.

forward: client->firewall->internal
return:  internal->client (NAT skipped, you're not able to connect)

Avoid this at all cost. In you case do the following (on the internal server) and try again connecting:

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
route del default
route del -net 192.168.1.0/24
route add -host 192.168.1.1 eth0
route add default 192.168.1.0/24 gw 192.168.1.1

Basically, you tell that machine that the only machine "directly connected" is the firewall, anything else goes via firewall.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
Ok, but what about this situation, which is similar, and I tried to get it to work a few weeks back but had no success.

My ISP, COmcast, provides access to a usenet server. You can only connect to that server if you're on the comcast network. I want to connect while I'm at work. Should be a simple operation of setting up firewalling rules to have any connection attempts to port 9999 on my firewall NAT and redirect to the news server, thusly making the news server think that my request from work is coming from my home server... I'd bounce off it, NAT it's address, and get connected.

Didnt work. Sounded like a simple operation... I can redirect internet client->firewall->internal server behind firewall, why couldnt I redirect internet client->firewall->other internet server?
0
 
LVL 2

Expert Comment

by:pheur
Comment Utility
The thing with NAT-ing for news can be done with userspace portforwarding. Using normal NAT doesn't work since by default, packets don't pass your home firewall.

SNAT: source nat - packets come from a machine other that the one specified in the source of the packet.

DNAT: destination NAT - packets sent to a specific machine arrive to another one.

portforward: an intermediate machine breaks one TCP connection in two. both source and destination address are changed.

The first two are easily done with iptables, but the machine doing SNAT/DNAT MUST intercept all packets - both forward and return; the third is usally done in userspace.
Even if some situations seem to be identical they are not. Specifically NAT is transparent, portforward is not.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
LVL 2

Author Comment

by:edskee
Comment Utility
You lost me on that... so you're saying I need userspace port forwarding? How is that accomplished?
0
 
LVL 2

Expert Comment

by:pheur
Comment Utility
There are a lot of programs for that. My favorite is SSH-portforwarding (a little more complicated than the simple one, but very good):

ssh -L 9999:news.comcast.com:119 homemachine.comcast.com

Leave the session open and set your news client to use localhost:9999 as a news server.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
LVL 3

Expert Comment

by:hnminh
Comment Utility
back to your DNS approach... why didnt you try create the domain in DNS with NO record? For ex. you would have primary doubleclick.net zone in your DNS and that is all! This definitely will return "host not found" within a second if someone try ad.doubleclick.net! Using other firewall approaches, i think an "connection refused" or "access deny" respond would be a better idea than just drop the packet and letting browser wais for a timeout period! How to do this depend on the firewall software you r using.
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Indeed - why not just enter the domain as a master zone in your named.conf, and have it point to /dev/null or a non-existant zone file?  That should cause your DNS to do what you want - on the other hand, you have to be sure that your clients will only be using your DNS - otherwise you run the risk of certain IP stacks attempting to query additional DNS servers for the answer, even though your DNS server said "there is no answer".

With regard to the above discussion, rinetd is a good user-space port-forwarder, if you just want to find a good piece of software that will do it for you...

Cheers,
-Jon

0
 

Expert Comment

by:CleanupPing
Comment Utility
edskee:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
Points refunded and placed in PAQ

Computer101
E-E Admin
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now