On 4/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Nick Holland <[EMAIL PROTECTED]> wrote: > > >I'm very fond of DNS blocking: > > http://www.holland-consulting.net/tech/imblock.html > >simple effective, in spite of theoretical shortcomings... > > I found this to be effective too, but... I used it to block > internet radio sites at my former company. The users still found > other internet radio sites. So, instead, I used an old computer > running nst linux and ran bandwidthd on the network. Instead of > wasting time on what sites to block, I just had a VP talk to the > top 10 people who were using most of the bandwidth. This seemed to > be the most effective and least time wasting solution.
On a side note.... there is a patch that allows pdnsd to act as a "root" level resolver for whatever domains you would like to supplant. Nice and very light weight. I've been using patched pdnsd in combination with pf redirection of all port 53 traffic to prevent TCP over DNS/ICMP leaching techniques and it works great for captive portals as well (and could be handy for making all those naughty Vista desktops resolve "teredo.ipv6.microsoft.com" to a local IPv6 tunnel broker... so you can actually *know* what kind of traffic is bypassing your IPv4 only firewall... but I haven't used it in this capacity yet). Now... if there were only a good way to proxy arbitrary SSL/SSH traffic (I'm sure there is and I'm all ears to know what other people have done). Still... won't stop users from plugging sites they want into c:\windows\system32\drivers\etc\hosts (which is why you should use squid in addition). How many ways are there into and out of a network; let me count the ways and then think of a few more.
