cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
3
Helpful
3
Replies

ip dns server: how to redirect unwanted domains ? ... eg: rad.msn.com -> 10.10.10.10

nlariguet
Level 1
Level 1

ip dns server ... I have the DNS server configured as follows:

ip dns server view-group dnsVLcustom

ip dns view-list dnsVLcustom
view dnsVcustom 1

ip dns view dnsVcustom
no domain lookup
dns forwarding
dns forwarder 208.67.222.222
dns forwarder 208.67.220.220

... is there a way to set something like this ?

rad.msn.com ---> n.n.n.n
spam.whatever.com ---> n.n.n.n
ads.whatever.com ---> n.n.n.n

... ie: don't forward for these domains, just return n.n.n.n

My current config has all those unwanted sites filtered by the incoming ACL but they are hard-coded by their IP addresses.

Problem is I am adding more unwanted domains and the ACL is getting bigger and (I presume) this will slow down everything -not to mention I can't be aware of IP changes.

It would be really good to have just one IP on this ACL for unwanted traffic stopping it right after entering the routers instead of a cumbersome hard-coded ACL.

Any suggestion ?

3 Replies 3

Eugene Khabarov
Level 7
Level 7

Hmmm.. you can use this for example

ip host spam.whatever.com n.n.n.n
but i think this is not good idea to block one ip with acl and use dns entries for filtering.

Try to use ip urlfilter:

ip urlfilter exclusive-domain deny spam.whatever.com

Please rate if this helps,

Eugene.

thanks for you answer !

Although what you proposed is not exactly what I have in mind it is another open option which I'm glad you mentioned since I completely forgot the firewall options on IOS beacuse I am also running a PIX here.

The way you put it I can filter domains without having to put specific IPs on my incoming ACLs but it won't deny traffic directed to those IPs if the offending application (eg: read it MSN Messenger) is using those IPs directly and not a url such as whatever.rad.msn.com am I right ?

And if I was a spammer I will never use a url in the first place, I'll go directly to the servers by their IPs once I learned where to reach them.

Now if there is a way to intercept those DNS requests and/or answer those requests with any chosen IP ...

You're right, spam bot will go directly by ip-address. It will not make DNS-queries. So you need to do standard acl filtering for this purpose.

Please rate if this helps.

Eugene.

Review Cisco Networking for a $25 gift card