[eduVPN-deploy] malware/tracking/advertising domain blocking
Jørn Åne
jorn.dejong at uninett.no
Mon Nov 19 11:41:10 CET 2018
Den 19.11.2018 10:59, skrev Sjors Haanen:
> Hi all,
>
> If you want to let your users benefit from malware/tracking/advertising
> domain blocking, you can follow the recently added how-to. [1]
>
> Let me know if you have any questions or remarks!
Hi Sjors
Very nice!
I have a question about how the blocklist is applied.
I notice that you use the format:
local-zone: evil.invalid always_nxdomain
This causes a client to return that the domain does not exist. For my
own filter, I use:
local-zone: evil.invalid refuse
This way, webbrowsers will still behave the same (silently fail to load
resources from the domain), but when I use a more advanced DNS client,
like dig, I see that the query was refused. This makes it more apparent
whether a name doesn't exist or whether it was filtered. This may ease
debugging in case a bona fide domain is included by accident. I don't
know of any downsides for "refuse", but I haven't really looked into it
either.
Do you know anything about the difference between these two policies?
Maybe we can try running with "refuse" instead?
--
Jørn Åne
Systemutvikler
Uninett AS
jorn.dejong at uninett.no
+47 95 36 10 17
www.uninett.no
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20181119/b9da26ac/attachment.sig>
More information about the eduVPN-deploy
mailing list