[Rabbit-dev] DNS to block malware

Luis Soltero lsoltero at globalmarinenet.com
Wed Dec 15 16:20:09 CET 2010 

OpenDNS is a fine service but as stated in my previous posting I don't think that DNS is the optimum way to block sites.
Besides this does nothing for Ads.  The problem with DNS lookup approach is that it takes longer, wastes resources, and
neither AdFilter or BlockFilter are called. 

A better approach would be to add code the filtering code to
1. check for local file based tables of ad/malware
or
2. use db based tables
or
3. have the filters do blackhole dns lookups in the filters looking for positive hits. 

3 differs than just using OpenDNS because the lookup happens in the Filter code and not in the general url processing
code.  So... if you point the AdFilter code to a ad based blackhole DNS then you can do the NoAd.gif processing. 
Similarly if the DNS is a malware blackhole then you do the lookup in BlockFilter and take appropriate action there.   

Using OpenDNS the way you currently do you get an invalid DNS lookup and a timeout with less control on how the
processing takes place.

Having said that using your approach is the only option at this time other than manually entering regex expressions into
rabbit.

Thanks for the tip.

--luis




On 12/15/10 6:12 AM, Rick Leir wrote:
> Hi Luis, Robo,
> I like to block malware using OpenDNS.com, by pointing my system resolver at their DNS server.
> HTH -- Rick
>
> From the dnsjava README:
> ========
>
> There's no standard way to determine what the local nameserver or DNS search
> path is at runtime from within the JVM.  dnsjava attempts several methods
> until one succeeds.
>
>  - The properties 'dns.server' and 'dns.search' (comma delimited lists) are
>    checked.  The servers can either be IP addresses or hostnames (which are
>    resolved using Java's built in DNS support).
>  - The sun.net.dns.ResolverConfiguration class is queried.
>  - On Unix, /etc/resolv.conf is parsed.
>  - On Windows, ipconfig/winipcfg is called and its output parsed.  This may
>    fail for non-English versions on Windows.
>  - As a last resort, "localhost" is used as the nameserver, and the search
>    path is empty.
>
> ==========
> On 15/12/2010 12:46 AM, rabbit-dev-request at khelekore.org wrote:
>>   malware sites
>
>
> _______________________________________________
> Rabbit-dev mailing list
> Rabbit-dev at khelekore.org
> http://khelekore.org/cgi-bin/mailman/listinfo/rabbit-dev
>


-- 


Luis Soltero, Ph.D., MCS
Director of Software Development, CTO
Global Marine Networks, LLC
StarPilot, LLC
Tel: 865-379-8723
Fax: 865-681-5017
E-Mail: lsoltero at globalmarinenet.net
Web: http://www.globalmarinenet.net
Web: http://www.starpilotllc.com

More information about the Rabbit-dev mailing list