View Single Post
  #4   (View Single Post)  
Old 13th January 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by joostvgh View Post
...i would like to block rapidshare by adding some DNS record..
i could also block their ip range, but this might change overtime..
PF rules can use domain names in pass/block rules, but the address resolution occurs only once, at rule loading time. In order to pick up changes, the rules must be reloaded.
Quote:
so if someone want to go to rapidshare.com, they will send a dns request with rapidshare.com in it..
Perhaps. It is not an absolute requirement. Other domain names may point to the same server set, or access may be obtained without using DNS, or without using DNS servers controlled by you.
Quote:
can i add a record somewhere so that they will be given the wrong ip?
(like 127.0.0.1)
i added this record to my /etc/hosts file already. will this do the trick?
when i ping rapidshare.com it is pinging to 127.0.0.1 but i dont know for all the users..
If the users you ask about are users located on the OpenBSD system, then you can certainly set your local system resolution to use a blend of file lookup and DNS resolution. See the man page for resolv.conf(5), and read about "lookup".

This will have -no- impact on DNS configurations of other systems, such as if your OpenBSD platform is a router in a network.

Even if you were to set up your own DNS server infrastructure, someone could circumvent your DNS system. Either by directing their DNS requests elsewhere, or, if you block such traffic, by doing a lookup externally and using the resulting IP addresses.

For governing HTTP/FTP traffic by site, as you wish to do, a proxy server that controls access by examining URLs will probably work better. But a savvy user will still be able to subvert your attempts at governance.
Reply With Quote