[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Blocking DNS lookups to paritcular domains
From: Sidewinder moderated discussion list <sidewinder () adeptech ! com>
Date: 2007-02-14 13:50:20
Message-ID: 1897E92A96C47648A6574CB9A51C640701571D3F () SEBEV1PW ! graybar ! com
[Download RAW message or body]
What we have done on several occassions is make the firewalls
authoritative for the specified domain. This can be accomplished through
the GUI or at the command line. Once the firewalls are authoritative for
this domain, they have no reason to pass the request anywhere.
Then we make a www record {or record for any known "bad" sites within
that domain to point them at a capture web server on our network. When
someone gets to this capture web server they are given a page but their
IPs are logged and our Infrastructure Security department is notified of
a possible issue.
But, and this is the problem, there are multiple legit sites that are
through 2mydns.com, which means you will also terminate access to them.
-----Original Message-----
From: sidewinder-bounces@adeptech.com
[mailto:sidewinder-bounces@adeptech.com] On Behalf Of Sidewinder
moderated discussion list
Sent: Tuesday, February 13, 2007 5:36 PM
To: 'sidewinder@adeptech.com'
Subject: [Sidewinder] Blocking DNS lookups to paritcular domains
>From a security mailing list:
"Two accounts, dysev5299.2mydns.com and wjky.2mydns.com, are associated
with
a new and rapidly spreading infection/intrusion vector among some
company's
networks. One suggested protection methodology includes the institution
of
firewall rules that block DNS requests to the dynamic DNS provider
"2mydns.com."
Not that we are having any problems, but does anyone know of a
reasonable
way to block such requests using Sidewinder, short of blocking access to
the
IP addresses listed in the NS records in a DENY rule?
[Curiously, when I tried just now, I could not resolve the names that
came
back to addresses using DNS. It may be that someone in a surrounding
organization to mine is already blocking such access...]
JRJ
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic