• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Hosts file to block badware

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Hosts file to block badware Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Hosts file to block badware - 22.Sep.2006 4:44:31 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
To all,

I discovered a good little trick tonight, maybe you've seen it before, but here goes.

I've been considering the installation of a blackhole DNS solution to supplement all the other layers of our computer security.  I haven't been really keen on the idea because of the need for another DNS server and the upkeep of the records wasn't exactly easy and quick.

I've known about the hosts files on the internet for a long time that are useful to home users, and decided to play with it a little tonight at home.  I couldn't get my DNS server to use it, didn't think it would, but I tried.  I then applied the host file to my ISA2004 server, after a reboot, it worked and actually speed up client response times and blocked instantly.  This is on a small home network, so I don't know the impact yet in a large environment, I suspect the benefit will be similar.

The purpose of the blackhole DNS and a appropriate hosts file is to block spyware, adware and other malicious or annoying sites, such as ads, banners, counters and such.  By using the hosts file, the site resolves to 127.0.0.1 immediately, or any address you want to specify.

I used the hosts file from http://www.mvps.org/winhelp2002/hosts.htm.  I also reviewed their criteria, and it was very thorough. They mention on the site that the hosts file is updated periodically.

The benefit is that I can now take this to work and protect my entire enterprise, with another layer of protection, that is easily updated and maintained.  Cudos to the mvps.org folks for a great service.

One caveat to using the hosts file, it appears to have no effect on firewall traffic, but worked great on proxy traffic.  If your network allows web traffic only through the proxy, this should help greatly.

Best wishes,

_____________________________

Rob John
MCSE, CCNA
Post #: 1
RE: Hosts file to block badware - 28.Sep.2006 1:35:35 PM   
Guest
Hi Rob!
I've also had kwnowledge about dns blackhole but never use it though.
I followed your words and it works beautiful mate!
Thanks!
Indeed if I use ISA as a proxy on my client computers the requested urls
which can be find in the file host are blocked.
but it does not work as the file was on the host.
if you try ping, it goes to 127.0.0.1 on ISA address but  the client computers
still can reach the real ip address.
I also tried the DNS version and I'm pretty much sure I can do that but I
need one more DNS server.

(in reply to RobJohn)
  Post #: 2
RE: Hosts file to block badware - 28.Sep.2006 3:13:17 PM   
Guest
and now I've managed to completely make unusable my dns server.
I still think this will work though.
but only with another dns server.

(in reply to Guest)
  Post #: 3
RE: Hosts file to block badware - 29.Sep.2006 2:34:03 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
I don't believe there is any way to get a DNS service or daemon to look at a host file.  My solution was to put the host file on the ISA server.  If you find a way to get DNS to look at it, please let me know.

The only way I know of with DNS is to create a Blackhole DNS with zones for each domain.  I was never fond of this because of the amount of zones to maintain.  That's why I tried the hosts file idea, nearly the same effect, but much easier to maintain. I think the drawback of putting it on ISA is that it cannot affect firewall traffic, whereas a Blackhole DNS server, would work against all traffic resolved by DNS.

I am implementing it at work on our production network tomorrow night.

I'll reply here if anything unexpected comes up.



_____________________________

Rob John
MCSE, CCNA

(in reply to Guest)
Post #: 4
RE: Hosts file to block badware - 29.Sep.2006 5:10:24 PM   
Guest
Tom wrote this in his blog
quote:

The Evils of RBLs and Why You Should NEVER Use Them

http://blogs.isaserver.org/shinder/2006/09/28/the-evils-of-rbls-and-why-you-should-never-use-them/

that's very interesting.
I've never used a DNS-based Blackhole in a real environment(production).
just testing it in vmware.
I'll keep your words in my mind Tom!

(in reply to RobJohn)
  Post #: 5
RE: Hosts file to block badware - 30.Sep.2006 2:29:46 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
I just implemented the host file on my production ISA 2004 SE Sp2 server about two hours ago.  A cursury check of my users didn't show any ill effects, web responses appear to be snappier.  No bad effects noted yet. I've got about a 1500 devices using the proxy service.

I only came across one issue.  Instead of using 127.0.0.1, I used the IP address of a internal IIS page, but the proxy client aren't getting sent there, they a ISA access denied by the default rule.  The ISA server itself gets there just fine, hmmm, I need to look at it further, but probably nothing major.

In short, I have essentially done with a host file, what would normally take alot of rules or a Blackhole DNS server.  This doesn't eliminate the need for rules, but it adds another great layer of security for no cost.  I also noticed the host file I got had just been updated on their site, looks like it gets updated every two weeks.

Anyone who tries this please reply back how it goes.

Best wishes,

_____________________________

Rob John
MCSE, CCNA

(in reply to Guest)
Post #: 6
RE: Hosts file to block badware - 30.Sep.2006 2:40:28 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
I completely agree with Tom's blog about RBLs, I use them, but I agree with the danger.  There is one big difference with the hosts file provided by http://www.mvps.org/winhelp2002/hosts.txt or any other site versus a RBL.  While you don't know what the RBL service will block, you can easily review the content of a hosts file. Took me about 10-15 minutes, but I was able to scan a 200 page print of the hosts file for things that would not be good. I only printed it out so I could multi task during a management meeting.



_____________________________

Rob John
MCSE, CCNA

(in reply to RobJohn)
Post #: 7
RE: Hosts file to block badware - 30.Sep.2006 5:26:28 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
Works like a champ now.  I had restricted my allow access to internet rule to block access to internal sites, because I had many users (visitors) not configuring thier IE proxy exceptions properly, so they effectively was using ISA as a proxy for internal sites.  I changed my rule to allow access to the one site that I used in my hosts file and Hot Dog ! My specially crafted notice to users showed up.

I could not detect any difference in server resource utilization, but I suspect my monthly reports will begin to report good things.

Rob

_____________________________

Rob John
MCSE, CCNA

(in reply to RobJohn)
Post #: 8
RE: Hosts file to block badware - 7.Oct.2006 8:01:01 AM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
It's been a full week now since implementation. Our host security software (Symantec Client Security) is reporting far fewer events. I don't have any specific stats yet.We use the Symantec Client for antivirus, antispyware, adware, and IPS functions. 

I just reviewed our network traffic before and after the hosts file implementation and discovered a drop in internet traffic of 30-35% . This is better than expected.

As far my users, I've only had one problem report by one user all week due to a concatenated url.

_____________________________

Rob John
MCSE, CCNA

(in reply to RobJohn)
Post #: 9
RE: Hosts file to block badware - 7.Oct.2006 12:22:03 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rob,

I've been using this now for a few days since you pointed out the method. Thanks for the great tip! I'll blog about it so that everyone else gets the benefits.

Thanks!!!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RobJohn)
Post #: 10
RE: Hosts file to block badware - 8.Oct.2006 4:12:49 PM   
tmorton

 

Posts: 15
Joined: 27.Mar.2006
Status: offline
This is a good idea and it can be implemented in DNS without wearing out your mouse button in the GUI. There are a few really good tools in the Windows server Support Tools package from Microsoft. I am not the best code writer however and don't have the time to fully implement this. I did however get entries added to my DNS server using the following 2 lines at a command prompt. It could probably be turned into a batch file with a fair amount of ease and some cleanup of the hosts file.

The only real problem that I see with this is that you will end up with a ton of Primary zones in the DNS console. There is an alternate method to do this by editing the boot text file and telling your DNS server to use it to load the zones from. I am not sure how this would impact AD integrated zones though. Here is the link for reference. http://www.bleedingsnort.com/blackhole-dns/#MS


The first line creates the DNS zone as a primary non AD integrated zone.
dnscmd.exe /zoneadd fubar.com /primary /file fubar.com.dns

The second line adds the wildcard to the zone.
dnscmd.exe /recordadd fubar.com * A 127.1.1.1

Combine that with a for loop and it could be done fairly quick. The alternative is of course to use VBScript or even better would be Monad, but like I said writing code is not my forte.

I did run those two command manually and had success. You can add them then go into the DNS console and refresh, you will see the newly created zone and A record.

HTH
Ty

(in reply to tshinder)
Post #: 11
RE: Hosts file to block badware - 8.Oct.2006 5:04:16 PM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
Yes, it can be done through DNS as you said.  I got my original idea from the Snort site about the blackhole DNS.  Problem for Windows environments is if your DNS is AD integrated, you need another DNS server that is not integrated.  You would then need to forward all requests for internet zones to this DNS server.  Basically it makes things more complicated, and slower than a hosts file on a proxy, and is definitely more time consuming to update or troubleshoot if things go haywire.. 

I had read briefly about a INCLUDE function in DNS, but never got down to really researching it.

_____________________________

Rob John
MCSE, CCNA

(in reply to tmorton)
Post #: 12
RE: Hosts file to block badware - 9.Oct.2006 5:44:50 AM   
Guest
Yep!
I knew that link for a while and follow it.
but Rob idea is more clever and more easy to use because you don't need another server.
Again great job Rob!

(in reply to RobJohn)
  Post #: 13
MVPS - 11.Oct.2006 6:07:37 PM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline

FYI to all

Rob,
Glad to see you guys were able to work things out ...
If they notice any complaints from their users about not being able to access some site ... tell them to drop me a note ...
 
Mike Burgess
Microsoft MVP - Internet Security
"There's no place like 127.0.0.1"
http://www.mvps.org/winhelp2002/hosts.htm

_____________________________

Rob John
MCSE, CCNA

(in reply to Guest)
Post #: 14
RE: MVPS - 11.Oct.2006 10:47:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

The only problem I see with DNS is zone replication. It doesn't matter if its AD integrated or not. AD integration is a replication issue, but doens't have any effect on AD name resolution issues. So, there's really no reason for a second server.

However, that said, many people do not use their internal, AD DNS server as their Internet resolvers, and use a different machine for Internet name resolution and use stub zones and referrals on those machines for internal name resolution.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to RobJohn)
Post #: 15
RE: MVPS - 31.Oct.2006 11:34:10 PM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
Does anyone know of a hosts file specifically for blocking adult (porno) sites? I'm looking for one to merge with a copy of the MVPS hosts file.

_____________________________

Rob John
MCSE, CCNA

(in reply to tshinder)
Post #: 16
RE: MVPS - 1.Nov.2006 2:07:33 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
why dont u create ur own ???

check the xml files on this site : http://isaserver.bm/destination_sets.html

open the sex sites and the porno sites xml files and copy the links included in them into your own host file


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to RobJohn)
Post #: 17
RE: MVPS - 1.Nov.2006 8:53:40 PM   
RobJohn

 

Posts: 87
Joined: 28.Feb.2001
From: Montgomery, Al
Status: offline
Thanks for the info. Just what I was looking for, well almost, but just as good. 

I do have my own but it's minuscle compared to what I thought others might have, why reinvent the wheel.

Thanks again !!

_____________________________

Rob John
MCSE, CCNA

(in reply to elmajdal)
Post #: 18
RE: MVPS - 2.Nov.2006 9:41:32 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
You are welcome Rob

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to RobJohn)
Post #: 19
RE: Hosts file to block badware - 6.Nov.2006 3:44:00 PM   
JRyan

 

Posts: 1
Joined: 2.Sep.2005
From: MA
Status: offline
Good job!  I'll be trying this out myself. 

(in reply to RobJohn)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> Tips and Tricks >> Hosts file to block badware Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts