On Sat, 22 Apr 2006 11:09:29 +0100, Craig Skinner wrote: >Nick Holland wrote: >> I've been a fan of DNS mangling to deal with this problem for some time. >> Technically, it is a horribly flawed system. Practically, it works, and >> works very easily. More: >> http://www.holland-consulting.net/tech/imblock.html >> > >And if you use BIND, see here: > >http://www.deer-run.com/~hal/sysadmin/dns-advert.html >http://www.bleedingsnort.com/blackhole-dns/ > > Even easier: Use dnsspoof from the dsniff package. It will even run on a firewal and do the trick on $int_if traffic.
There's always a catch though: One time I had trouble trying to browse www.linksys.com - with good reason, the wild-card file list had something like *.link*.com in it. It is a really neat way of doing a few other things though. It can act like a master hosts file and serve up local resolutions for RFC1918 hosts on your LAN which saves doing a split BIND setup when you just run the default caching-only setup. It will also handle resolving www.example.com (where that is your domain webserver) by serving up 192.168.x.y for a machine that has that as its LAN IP and which the public reaches with rdr rules in pf.conf. 'Tain't perfect but it is really easy to do. >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
