ip dns server: how to redirect unwanted domains ? ... eg: rad.msn.com -> 10.10.10.10

Unanswered Question
Dec 20th, 2009

ip dns server ... I have the DNS server configured as follows:


ip dns server view-group dnsVLcustom


ip dns view-list dnsVLcustom
view dnsVcustom 1


ip dns view dnsVcustom
no domain lookup
dns forwarding
dns forwarder 208.67.222.222
dns forwarder 208.67.220.220


... is there a way to set something like this ?


rad.msn.com ---> n.n.n.n
spam.whatever.com ---> n.n.n.n
ads.whatever.com ---> n.n.n.n


... ie: don't forward for these domains, just return n.n.n.n


My current config has all those unwanted sites filtered by the incoming ACL but they are hard-coded by their IP addresses.


Problem is I am adding more unwanted domains and the ACL is getting bigger and (I presume) this will slow down everything -not to mention I can't be aware of IP changes.


It would be really good to have just one IP on this ACL for unwanted traffic stopping it right after entering the routers instead of a cumbersome hard-coded ACL.


Any suggestion ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Eugene Khabarov Sun, 12/20/2009 - 14:33

Hmmm.. you can use this for example

ip host spam.whatever.com n.n.n.n
but i think this is not good idea to block one ip with acl and use dns entries for filtering.

Try to use ip urlfilter:

ip urlfilter exclusive-domain deny spam.whatever.com


Please rate if this helps,

Eugene.

nlariguet Mon, 12/21/2009 - 18:12

thanks for you answer !


Although what you proposed is not exactly what I have in mind it is another open option which I'm glad you mentioned since I completely forgot the firewall options on IOS beacuse I am also running a PIX here.


The way you put it I can filter domains without having to put specific IPs on my incoming ACLs but it won't deny traffic directed to those IPs if the offending application (eg: read it MSN Messenger) is using those IPs directly and not a url such as whatever.rad.msn.com am I right ?


And if I was a spammer I will never use a url in the first place, I'll go directly to the servers by their IPs once I learned where to reach them.


Now if there is a way to intercept those DNS requests and/or answer those requests with any chosen IP ...

Eugene Khabarov Tue, 12/22/2009 - 22:44

You're right, spam bot will go directly by ip-address. It will not make DNS-queries. So you need to do standard acl filtering for this purpose.

Please rate if this helps.

Eugene.

Actions

This Discussion