[PLUG] Don't know how to google for this effectively...

[Darkhorse]

On Sat, 2004-11-13 at 23:42, AthlonRob wrote:
> On Sat, 2004-11-13 at 22:43 -0800, Darkhorse wrote:
> > I want to set up a dns server to lie about certain domain 
> > names I don't want to permit accurate lookups for.  If a 
> > local host asks for some.blockeddomain.com, I want to 
> > give an answer that points at a local server.
> > 
> > I don't want to go the squid route because squid doesn't 
> > work with all web sites.  
> 
> Well... I've been running entirely through squid for the last two and a
> half years and have only had one instance of it not working correctly;
> it was a Windows Update bug.  *Every* other website has worked fine...
> 
> AFAIK, the only way to accomplish this with bind is to have entries in
> named.conf for each domain you wish to block.
> 
> A transparent squid proxy is really more effective, though... it can
> block IPs and hostnames.  If you simply block dns resolution, the user
> could easily look up the IP online and browse directly to that....
> 
> -- 
> Rob                                |  If not safe,
>    Jabber: athlonrob at axpr.net   |    one can never be free.

You're better with squid then I am then.  Have you been forced 
to add exceptions to squid for certain sites?  I can't get my.pcc.edu
to work through squid for example and I hear that myfamily.com has
problems too.  Is there special patching to squid that has to be done
for secure web pages, etc.?  If there's a way to get practically any
site to work through squid, that would be better because it would 
allow the use of clamav against all incoming content.

I can't get windowsupdate to work through squid.  For obvious reasons,
it would nice to force content from windowsupdate.com through antivirus
prior to letting these updates install on a workstation.  I don't think
ports 80 and 443 are the only tcp/udp ports that have to be open for
windowsupdate.com to work.  I'm so frustrated with not being able to run
windowsupdate.com through a filtered proxy that I've almost said no
Windows machines on the Internet.  The only Windows system I can get
my users to agree with me on for that policy is Windows XP.  I don't
know that you can get myfamily.com to work without Windows 98 or 2000
and Internet Explorer.  Probably the smartest thing a person could
do is have the Windows installed to a ram drive and run that system
so that there's no concern about booting a virused Windows machine. 
This might be accomplished by replacing the Windows entirely before 
each session from a known good copy and using a protected 
(non flash) bios.  It's surprising the latter isn't standard on
new computers, even a switch or jumper to disable bios upgrades
isn't standard.  Would it be that hard to have a power, reset, 
and bios upgrade switch?  I'd turn that third switch off when
I'm online.  

Another option is running the web browser chroot, but I believe that
only Mac OSX 10.3, Linux, and other Unix systems support this.  It 
would be nice to have a howto on how to make users use mozilla in a
chroot sandbox built in their home directory.  I'm also curios about
forcing deletion of all cached content in mozilla when any user exits it
under Linux.  How do you allow changing to the skypilot theme without
allowing cached content to persist across multiple instantiations
of mozilla?  I'd probably need to teach people to save their bookmarks
to a persistent location.  I'm more concerned there may be important
cookies and that it may not be clear what's in them.  Usually you
want to dump all of your cookies, but with sites like myfamily.com
this can prove to be a real nuisance policy.  What I'm tryhing to get
away from via chroot is the web browser being a vulnerability to the
underlying operating system.

     --  Michael C. Robinson