Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

Force DNS to return unknown domain?

25% of our bandwith at work is used up by banner ads, cookies, and the rest of the junk filling the net.

I've come across a good listing of servers that only serve up junk.

Is there a way to add those to our DNS server and force the server to return that it's an unknown domain, so that when a webpage tries to pull an ad from ad.doubleclick.net, the banner ad is empty because the PC thinks that ad.doubleclick.net does not exist?

I could add ad.doubleclick.net to our firewall, and block it there, but Internet Explorer tries to hit the site over and over many times, causing a lot of local traffic, as well has having the user's browser hang while waiting for the site to respond. I dont like that option.

Next, I tried adding all the domains in our DNS and have them point to a server not running Apache, but then it causes a lot of dead hits to hit that server, and theres still the local traffic problem, and Explorer hanging while it waits for a response.

Next... have it point to 127.0.0.1... solves the traffic problem, but explorer still hangs.

The fastest response from IE is if you give it a dead domain. Put http://thisdomain.doesntexist1.com in IE and it pops back immediately that theres nothing there. If I could have our DNS server return that theres no DNS record for ad.doubleclick.net (as well as a huge list of other domains) that would solve the problem. Is there an easy way to do this?
0
edskee
Asked:
edskee
  • 6
  • 4
  • 2
  • +6
1 Solution
 
jlevieCommented:
I can't think of an easy way to do that at the DNS level, but it would be pretty trivial to redirect all traffic to those IP's to an internal server that returns an empty page. If your firewall is running iptables you could use DNAT to do the redirect. The web server would would need a wildcard redirect pointing to an empty page.
0
 
edskeeAuthor Commented:
How would you do the wildcard redirect on the webserver?
0
 
ahoffmannCommented:
I'd go with the fake server returning emty pages:
AFAIK apache can be configured to return the same page for any URL, it also has virtual domains. That's all you need (beside the DNAT in your firewall).
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
edskeeAuthor Commented:
Hmm... this doesnt seem to redirect the traffic... any idea why?

iptables -t nat -I PREROUTING -i eth0 -p tcp -d <test address to block> --dport 80 -j DNAT --to <internal webserver>:80

It just hangs and never redirects... eventually IE times out.

is that syntax right?
0
 
ahoffmannCommented:
you need the other way around too:

iptables -t nat -I POSTROUTING -s internal-webserver -d -d your-LAN/24 --to test-address --sport 80 -j SNAT
0
 
edskeeAuthor Commented:
Ok, heres what I have, and its not working:

Internal webserver: 192.168.1.15
Test IP to block (my home webserver): 68.33.80.37

iptables -t nat -I PREROUTING -p tcp -d 68.33.80.37 --dport 80 -j DNAT --to 192.168.1.15:80

iptables -t nat -I POSTROUTING -p tcp -s 192.168.1.15 --sport 80 -d 192.168.0.0/16 -j SNAT --to 68.33.80.37

That SHOULD be saying:
Anything going to 68.33.80.37 port 80 is redirected to 192.168.1.15 port 80, by NATing the destination address

And anything coming from 192.168.1.15 port 80, going to the internal LAN, has it's source address masked as to appear to be coming from 68.33.80.37

Right?

So why doesnt it work? I'm going nuts now...
0
 
MFCRichCommented:
Have you considered junkbuster (www.junkbuster.com). It a web-proxy that filters out webs sites. Its default configuration file comes with scores of sites with ads.
0
 
pheurCommented:
If you considered the firewall solution, here is the missing thing: return error, don't just drop the packets. Returning error will not make your browser hang. For iptables, add the  "--reject-with tcp-reset"  and target REJECT.

Also, you may consider masquerading/DNAT-ing those servers to an internal server that always return an empty page (use mod_rewrite for that).

Or use transparent proxy to redirect all the traffic to a web proxy/cache that takes care of removing the banner ads.
JunkBuster was suggested above.

All these are more simple than the DNS blackholing.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
edskeeAuthor Commented:
Yes, but HOW do I NAT it over? Every time I've ever tried to redirect a connection internally, it never worked. I can redirect a connection hitting my firewall, from the net, to a server behind it, but when I try and redirect an outgoing packet to another machine on the inside, it hangs. Even with apparently good DNAT and SNAT statements.

Can someone give me an example of the iptables commands necessary to do the following:

Firewall: 192.168.1.1
Internal webserver: 192.168.1.20
My internal PC: 192.168.1.99

I'm trying to go to internet site 1.2.3.4, but I want the firewall to catch it and send it instead to the webserver 192.168.1.20

I havent been able to get that to work to save my life. I can use REDIRECT to send it to another port on the firewall... but I dont want to run a webserver on the firewall. I cannot DNAT it to a seperate internal server at all... it always just hangs. Pings work, but telnets, https, sshs, etc all never get a response.
0
 
pheurCommented:
Your problem is that the internal server has a direct route to the client. And it's not on the forward path, it's on the return path.

forward: client->firewall->internal
return:  internal->client (NAT skipped, you're not able to connect)

Avoid this at all cost. In you case do the following (on the internal server) and try again connecting:

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
route del default
route del -net 192.168.1.0/24
route add -host 192.168.1.1 eth0
route add default 192.168.1.0/24 gw 192.168.1.1

Basically, you tell that machine that the only machine "directly connected" is the firewall, anything else goes via firewall.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
edskeeAuthor Commented:
Ok, but what about this situation, which is similar, and I tried to get it to work a few weeks back but had no success.

My ISP, COmcast, provides access to a usenet server. You can only connect to that server if you're on the comcast network. I want to connect while I'm at work. Should be a simple operation of setting up firewalling rules to have any connection attempts to port 9999 on my firewall NAT and redirect to the news server, thusly making the news server think that my request from work is coming from my home server... I'd bounce off it, NAT it's address, and get connected.

Didnt work. Sounded like a simple operation... I can redirect internet client->firewall->internal server behind firewall, why couldnt I redirect internet client->firewall->other internet server?
0
 
pheurCommented:
The thing with NAT-ing for news can be done with userspace portforwarding. Using normal NAT doesn't work since by default, packets don't pass your home firewall.

SNAT: source nat - packets come from a machine other that the one specified in the source of the packet.

DNAT: destination NAT - packets sent to a specific machine arrive to another one.

portforward: an intermediate machine breaks one TCP connection in two. both source and destination address are changed.

The first two are easily done with iptables, but the machine doing SNAT/DNAT MUST intercept all packets - both forward and return; the third is usally done in userspace.
Even if some situations seem to be identical they are not. Specifically NAT is transparent, portforward is not.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
edskeeAuthor Commented:
You lost me on that... so you're saying I need userspace port forwarding? How is that accomplished?
0
 
pheurCommented:
There are a lot of programs for that. My favorite is SSH-portforwarding (a little more complicated than the simple one, but very good):

ssh -L 9999:news.comcast.com:119 homemachine.comcast.com

Leave the session open and set your news client to use localhost:9999 as a news server.

--
Radu-Adrian Feurdean
Brainbench Linux MVP
0
 
hnminhCommented:
back to your DNS approach... why didnt you try create the domain in DNS with NO record? For ex. you would have primary doubleclick.net zone in your DNS and that is all! This definitely will return "host not found" within a second if someone try ad.doubleclick.net! Using other firewall approaches, i think an "connection refused" or "access deny" respond would be a better idea than just drop the packet and letting browser wais for a timeout period! How to do this depend on the firewall software you r using.
0
 
The--CaptainCommented:
Indeed - why not just enter the domain as a master zone in your named.conf, and have it point to /dev/null or a non-existant zone file?  That should cause your DNS to do what you want - on the other hand, you have to be sure that your clients will only be using your DNS - otherwise you run the risk of certain IP stacks attempting to query additional DNS servers for the answer, even though your DNS server said "there is no answer".

With regard to the above discussion, rinetd is a good user-space port-forwarder, if you just want to find a good piece of software that will do it for you...

Cheers,
-Jon

0
 
CleanupPingCommented:
edskee:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
Computer101Commented:
Points refunded and placed in PAQ

Computer101
E-E Admin
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 6
  • 4
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now