ip dns server: how to redirect unwanted domains ? ... eg: rad.msn.com ->

Unanswered Question
Dec 20th, 2009
User Badges:

ip dns server ... I have the DNS server configured as follows:

ip dns server view-group dnsVLcustom

ip dns view-list dnsVLcustom
view dnsVcustom 1

ip dns view dnsVcustom
no domain lookup
dns forwarding
dns forwarder
dns forwarder

... is there a way to set something like this ?

rad.msn.com ---> n.n.n.n
spam.whatever.com ---> n.n.n.n
ads.whatever.com ---> n.n.n.n

... ie: don't forward for these domains, just return n.n.n.n

My current config has all those unwanted sites filtered by the incoming ACL but they are hard-coded by their IP addresses.

Problem is I am adding more unwanted domains and the ACL is getting bigger and (I presume) this will slow down everything -not to mention I can't be aware of IP changes.

It would be really good to have just one IP on this ACL for unwanted traffic stopping it right after entering the routers instead of a cumbersome hard-coded ACL.

Any suggestion ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Eugene Khabarov Sun, 12/20/2009 - 14:33
User Badges:
  • Silver, 250 points or more

Hmmm.. you can use this for example

ip host spam.whatever.com n.n.n.n
but i think this is not good idea to block one ip with acl and use dns entries for filtering.

Try to use ip urlfilter:

ip urlfilter exclusive-domain deny spam.whatever.com

Please rate if this helps,


nlariguet Mon, 12/21/2009 - 18:12
User Badges:

thanks for you answer !

Although what you proposed is not exactly what I have in mind it is another open option which I'm glad you mentioned since I completely forgot the firewall options on IOS beacuse I am also running a PIX here.

The way you put it I can filter domains without having to put specific IPs on my incoming ACLs but it won't deny traffic directed to those IPs if the offending application (eg: read it MSN Messenger) is using those IPs directly and not a url such as whatever.rad.msn.com am I right ?

And if I was a spammer I will never use a url in the first place, I'll go directly to the servers by their IPs once I learned where to reach them.

Now if there is a way to intercept those DNS requests and/or answer those requests with any chosen IP ...

Eugene Khabarov Tue, 12/22/2009 - 22:44
User Badges:
  • Silver, 250 points or more

You're right, spam bot will go directly by ip-address. It will not make DNS-queries. So you need to do standard acl filtering for this purpose.

Please rate if this helps.



This Discussion

Related Content