RE: Spyware blocking with HOSTS file on DNS server

["Dan Lynch" <dan.lynch () placer ca gov>]

Thanks for the input Andrew and Joey, but I think you might
misunderstand my goals here. 
 
The HOSTS files are precompiled and maintained. I don't plan on doing
it myself. See for example:
     http://www.mvps.org/winhelp2002/hosts.htm 
     http://www.dozleng.com/hpguru/ 
     http://www.everythingisnt.com/hosts.html 
     http://www.ecst.csuchico.edu/%7Eatman/spam/adblock.shtml 
     http://www.accs-net.com/hosts/get_hosts.html 

But with the wealth of maintained lists available, which ones have
clear policies for inclusion and removal? That is, how *well* maintained
are they? Opinions anyone?
 
Sure enough, our McAfee e500 WebShield proxy server doesn't allow
access to the HOSTS file, so the conversion to zone format for import to
our DNS server would be required. I'd need do nothing but convert to a
zone file and import to my DNS server. See for example:
     http://pgl.yoyo.org/adservers/index.php
     http://www.geocities.com/yosponge/updates.html 

But my DNS skills are limited, and the specifics of this usage are over
my head. What gotchas exist? Anyone tried it?

The point is I *don't* want to manage this all myself. I want a prefab
solution. And of the available choices, I don't wanna pay for nothin'!
Particularly considering (1) the vast expense of vendor provided
solutions (five-figures up front, then yearly subscription, plus
hardware, OS, and administration overhead of it all); and (2) that the
vast bulk of our spyware problem goes away if browsers can't access the
sites that generate it. The cost/benefit ratio of vendor solutions
doesn't justify the acquisition in my mind. To me, an improved process
has an inherent advantage over an acquired product.

Another lister mentioned a report that someone "toasted her proxy
server by using 127.0.0.1". What happens at the IP layer when the proxy
attempts dozens (or hundreds) of connections to a non-existent listener
on the loopback? What if a listener *does* exist? 

For example, in our environment, browsers are configured to connect to
the proxy on port 1500. The proxy the initiates the outbound connection
to the destination web server, generally on port 80. If the web server
name resolves to loopback, we have the proxy attempting to connect to
itself on port 80. Do we wait for TCP timeout? What if our proxy *were*
listening on port 80? Would a 404 NOT FOUND result? Would the behavior
be different if DNS instead resolved the end point to 0.0.0.0?

Again, thanks everyone for any input here.

Dan Lynch, CISSP
County of Placer
Auburn, CA

> > > "Andrew Shore" <andrew.shore () holistecs com> 2/1/2005 1:33:00 AM

I have to agree, staying on top of a tack like this is a huge
commitment
and one you'll probably never achieve. There are more and more of
these
site springing up every day.

I would recommend Websense with the spyware module.

Just my 2 cents but I think you're barking up the wrong tree.

Andy

-----Original Message-----
From: Johnson, Joey [mailto:Joey.Johnson () MWAA com] 
Sent: 28 January 2005 20:39
To: Dan Lynch; security-basics () securityfocus com 
Subject: RE: Spyware blocking with HOSTS file on DNS server

Any particular reason you don't want to manage all this yourself
manually?
There are several good enterprise level solutions out there. Some of
them free. You mentioned you're in a Windows domain so have a browse
at
this site and go from there?

http://www.winnetmag.net/WindowsSecurity/Article/ArticleID/44624/44624.h

tml 
-----Original Message-----
From: Dan Lynch [mailto:dan.lynch () placer ca gov] 
Sent: Friday, January 28, 2005 1:45 PM
To: security-basics () securityfocus com 
Subject: Spyware blocking with HOSTS file on DNS server

Greetings list,

Recent plagues of spyware/adware on our ~2000-client network has us
interested in strategies for eliminating it. One path we're
investigating is the use of compiled lists of known spyware/adware
host
names in HOSTS file format that resolve them to loopback. But since
all
our clients proxy web traffic through a central point, no name
resolution is ever done at the client and a HOSTS file would do us no
good at the desktop. Instead our proxy server performs all name
resolution against an internal DNS server. Also, we'd like to
centrally
manage the solution. Questions follow:

- list policies and practices
We'd like to find a compiled HOSTS file with clear policies and
transparent practices for inclusion and removal. Of the dozen or so
HOSTS files I've found, none seem to meet that desire. Anyone have
experience with a source that might be, um... "enterprise friendly"?
Fairly regular updates would be good too, but it seems easy to find
lists that are well maintained.

- Loopback vs 0.0.0.0; connection use
It seems some HOSTS lists like to resolve names to loopback
(127.0.0.1), but others advocate resolving to 0.0.0.0. Which is
better?
If resolving to loopback, do we have to wait for the connection to
timeout? But when resolving to 0.0.0.0, is the failure more immediate?
Since this would all be taking place at a fairly busy proxy server,
what
would the impact of one or the other be to my connection pool?

- HOSTS to zone conversion
Since our proxy is a closed-source appliance we may be unable to put a
HOSTS file on it. Further, if we can't make our DNS server pay
attention
to its own HOSTS file I assume that we'd need to convert any list to a
zone file for import to the DNS server. New to me...any hints or tips
here? Should I make an effort to eliminate all the host names and just
pretend to be master of each adware domain? This is an oddball enough
situation that my introductory DNS skills can't figure out the best
way
to do it. Any help would be appreciated.

Any other gotchas or hints from the list are welcomed. I also welcome
reference to lists or forums more closely focused on this area of
interest.

Thanks,

Dan Lynch, CISSP
County of Placer
Auburn, CA