Re: Spyware blocking with HOSTS file on DNS server

[David Glosser <david_glosser () yahoo com>]

(I'm resending this since it didn't seem to make it to the list. Apologies
if anyone
received it twice)

 Subject: Re: Spyware blocking with HOSTS file on DNS server


> We've has this discussion on the "bleeding snort" malware forum, using
> "black hole" domains in an internal DNS server:
> http://www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=98
>
> Also check out the "bleeding malware" snort ruleset.
>
> This site:
> http://pgl.yoyo.org/adservers/hosts2bind.ph
> converts host files to DNS  zone entries.  (Be careful with using
loopback,
> as one person on the above forum mentioned that she toasted her
> proxy server by using 127.0.0.1)
>
> However, most host files contain ad servers such as doubleclick,
> which can't be blocked in a corporate environment.
> You're not alone in your request ;)
>
> Finally,  please check out "Remote BHO Scanner":
> http://www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=427
>
> It's an ActivePerl program which scans a windows domain for unauthorized
> Browser Helper Objects. I'm looking for people to beta-test as well as
Perl
> gurus to help improve the code.
>
> HTH
> Dave Glosser
>
>
> ----- Original Message ----- 
> From: "Dan Lynch" <dan.lynch () placer ca gov>
> To: <security-basics () securityfocus com>
> Sent: Friday, January 28, 2005 1:44 PM
> Subject: Spyware blocking with HOSTS file on DNS server
>
>
> > Greetings list,
> >
> > Recent plagues of spyware/adware on our ~2000-client network has us
> > interested in strategies for eliminating it. One path we're
> > investigating is the use of compiled lists of known spyware/adware host
> > names in HOSTS file format that resolve them to loopback. But since all
> > our clients proxy web traffic through a central point, no name
> > resolution is ever done at the client and a HOSTS file would do us no
> > good at the desktop. Instead our proxy server performs all name
> > resolution against an internal DNS server. Also, we'd like to centrally
> > manage the solution. Questions follow:
> >
> > - list policies and practices
> > We'd like to find a compiled HOSTS file with clear policies and
> > transparent practices for inclusion and removal. Of the dozen or so
> > HOSTS files I've found, none seem to meet that desire. Anyone have
> > experience with a source that might be, um... "enterprise friendly"?
> > Fairly regular updates would be good too, but it seems easy to find
> > lists that are well maintained.
> >
> > - Loopback vs 0.0.0.0; connection use
> > It seems some HOSTS lists like to resolve names to loopback
> > (127.0.0.1), but others advocate resolving to 0.0.0.0. Which is better?
> > If resolving to loopback, do we have to wait for the connection to
> > timeout? But when resolving to 0.0.0.0, is the failure more immediate?
> > Since this would all be taking place at a fairly busy proxy server, what
> > would the impact of one or the other be to my connection pool?
> >
> > - HOSTS to zone conversion
> > Since our proxy is a closed-source appliance we may be unable to put a
> > HOSTS file on it. Further, if we can't make our DNS server pay attention
> > to its own HOSTS file I assume that we'd need to convert any list to a
> > zone file for import to the DNS server. New to me...any hints or tips
> > here? Should I make an effort to eliminate all the host names and just
> > pretend to be master of each adware domain? This is an oddball enough
> > situation that my introductory DNS skills can't figure out the best way
> > to do it. Any help would be appreciated.
> >
> > Any other gotchas or hints from the list are welcomed. I also welcome
> > reference to lists or forums more closely focused on this area of
> > interest.
> >
> > Thanks,
> >
> > Dan Lynch, CISSP
> > County of Placer
> > Auburn, CA