Re: Firewall novice question

Begin <86d5kf1mtj.fsf@xxxxxxxx>
On 2005-12-02, Giorgos Keramidas <keramida@xxxxxxxxxxxxxxx> wrote:
> On Fri, 02 Dec 2005 16:19:25 GMT,
> melsonr@xxxxxxxxxxxxxxxxxxx (Robert Melson) wrote:
^^^^^^^^^^^
This does not appear to be registered, so it showing up here is not a
good idea. If you wish to continue using it, I strongly suggest you
register the domain.


[snip]
>> Don't mean to sound ungrateful - I _am_ the one asking for
>> information, after all! - but what you're point to seems to apply to
>> a single ip address or hostname and not to a domain. I want to block
>> an entire domain, not just a specific ip address from within it. This
>> may not be - probably is not - possible, but I thought I'd ask on the
>> off chance that it is.
>
> I don't think that's very easy. The most serious problems you will
> probably stumble upon are:
>
> - Not all the hosts of example.net have necessarily an IP address
> that is part of a well-defined subnet.
>
> - A name may map to multiple addresses.

While that is true, it also is just the surface of it. The thing is, a
single DNS entry does not contain the information needed to block an
entire domain, period.

There is no built-in aggregation of IPAs used. The DNS does not know
about the concept of a subnet. The firewall code does no DNS lookups[1],
simply because that would create a rather spectacular overhead if it
didn't get stuck in the obvious catch-22. In short, the concept of
``domain'' does not translate into neatly blockable IP subnets.

The best you can do is make a list of IP addresses and subnets and stick
them in a table, then match on that. There are other approaches but they
are probably out of your reach.[2]


[1] The firewall rule maintenance utility does, but it isn't the firewall.
[2] Generating blocklists based on AS announcements, for example. Do not
forget they must be updated regularly, and so you need a BGP feed.
And the ability to write the scripts to drive that.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.
.

Relevant Pages

  • RE: SBS2003 and DHCP
    ... firewall, which also administers forced virus protection ... SBS2003 on its own subnet 2) Use the SBS2003 DHCP server ... DNS comes from SBS2003) 3) Point the ...
    (microsoft.public.windows.server.sbs)
  • Re: Site Creation
    ... If you will be installing CO-DC ... I'm thinking NY because the 192.168.200.x subnet has to ... Internal DNS will resolve al queries for your local DNS domain which is ... If there is a firewall it should be confugured to ...
    (microsoft.public.windows.server.general)
  • RE: Windows 2000/2003 IP Subnet change and concern over impact in AD e
    ... If you are using network printers ... Client Firewall, use the central administration to allow the new subnet to ... As far as DNS goes, it should automatically accept the new DNS information ...
    (microsoft.public.windows.server.networking)
  • Re: Problem with name resolution due to multiple hosts in combination with VLAN
    ... In fact the subnet priorization of the ... So the DNS server responsds with the closest ... I have a very tricky DNS problem - here is the szenario: ... If you want to force it to one IP all the time, you can disable 'Register ...
    (microsoft.public.windows.server.dns)
  • Re: Problem with name resolution due to multiple hosts in combination with VLAN
    ... I have a very tricky DNS problem - here is the szenario: ... corresponding IP adress in their subnet. ... If the ISA server has multiple interfaces, one for each of the subnets, then ... If you want to force it to one IP all the time, you can disable 'Register ...
    (microsoft.public.windows.server.dns)