Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

try to block traffic from ad.doubleclick.net, but dns record hops.

0 views
Skip to first unread message

z...@rockstone.com

unread,
Jun 23, 2001, 10:46:18 AM6/23/01
to

I wonder if anyone could provide share your idea, I have this
issue: I have a linux box as a gateway/firewall for internal LAN,
I have noticed http browsing contains too much junk traffic to
the advertisement servers such as 'ad.doubleclick.net', eg. when you
browse www.cnn.com, or www.marketwatch.com, etc, you can notice
such links from the webpage source.
Because I am concerned over the rumors that they tend to snoop
on user's pc or on users using java or cookies, to save network
bandwidth, I am trying to establish rules with ipchains rules
to reject traffic from those ad servers.

Of course, first, I need to find out their ad server ip addresses,
so I did this: ping ad.doubleclick.net, I got:

PING gd3.doubleclick.net (208.32.211.200) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec

Now I had found its ip address, so I added to the ipchains rule:
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT

but ads keeps coming, so I did again ping to ad.doubleclick.net,
this time I got reply from a different ip,
PING gd3.doubleclick.net (208.184.29.130) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.184.29.130.doubleclick.net (208.184.29.130):
icmp_seq=0 ttl=11 5 time=87.732 msec

Now I got different ip address for the same host name,
and this seems repeat endless.

Then I did nslookup every few minutes, and it resolves to all
different ip addresses for the same host name ad.doubleclick.net:

208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
....
#nslookup ad.doubleclick.net

ad.doubleclick.net canonical name = gd3.doubleclick.net.
Name: gd3.doubleclick.net
Address: 209.67.38.104
Name: gd22.doubleclick.net
Address: 208.184.29.130

> gd22.doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53

I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?

thanks very much.


Michael Kjorling

unread,
Jun 23, 2001, 11:17:12 AM6/23/01
to

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This really isn't anything strange - they're using a CNAME RR for
ad.doubleclick.net, and a low TTL on the corresponding A RRs. Looking
it up with dig gives data which seems to support that assumption
(cutting to save people here from too much junk, you can look it up
yourself if you like):

$ dig ad.doubleclick.net a | grep -v ^\; | egrep -v '^ *$' | grep A
ad.doubleclick.net. 840 IN CNAME gd3.doubleclick.net.
gd3.doubleclick.net. 10 IN A 204.253.104.80
$

While this is not a BIND question, this might solve your problem. If
not, I see no other obvious solution than adding all the IPs manually.

# ipchains -A input -s gd3.doubleclick.net -j DENY
# ipchains -A output -d gd3.doubleclick.net -j DENY


Michael Kjörling


On Jun 23 2001 10:16 -0400, z...@rockstone.com wrote:

> I don't quite understand the mechanism which doubleclik have deployed
> to make their nslookup hopping or rotating, but are there anyway I
> can completely stop ad traffic from their ad servers to my LAN?

- --
Michael Kjörling - mic...@kjorling.com - PGP: 8A70E33E
"We must be the change we wish to see" (Mahatma Gandhi)

^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7NK48KqN7/Ypw4z4RApgGAKCycZjVOXnOynnFiyNm0Ylq5VPhMgCfRDBm
1IsiS2b7RsZudRoUXTyiDJ8=
=zkeJ
-----END PGP SIGNATURE-----


James A Griffin

unread,
Jun 23, 2001, 11:54:21 AM6/23/01
to

z...@rockstone.com wrote:
>
> I wonder if anyone could provide share your idea, I have this
> issue: I have a linux box as a gateway/firewall for internal LAN,
> I have noticed http browsing contains too much junk traffic to
> the advertisement servers such as 'ad.doubleclick.net', eg. when you
> browse www.cnn.com, or www.marketwatch.com, etc, you can notice
> such links from the webpage source.
[snip]

There are several ways to use your local name server to 'fake' domains
and send all *.doubleclick.net to 127.0.0.1. Look for such suggestion
to be given on this thread.

However, I like the junkbuster proxy (www.junkbuster.com) as it deals
with all sorts of 'privacy' issues. Check it out. There are vesions
for the Un*x family (source and binaries) and other operating systems as
well.

Regards,
Jim


Derek Balling

unread,
Jun 23, 2001, 12:20:03 PM6/23/01
to

Isn't this a problem better solved by attacking it at the source....
finding the NS-set for "doubleclick.net" and configuring bind to
treat their responses as bogus? :-)

D

At 10:16 AM -0400 6/23/01, z...@rockstone.com wrote:
>I wonder if anyone could provide share your idea, I have this
>issue: I have a linux box as a gateway/firewall for internal LAN,
>I have noticed http browsing contains too much junk traffic to
>the advertisement servers such as 'ad.doubleclick.net', eg. when you
>browse www.cnn.com, or www.marketwatch.com, etc, you can notice
>such links from the webpage source.

>I don't quite understand the mechanism which doubleclik have deployed
>to make their nslookup hopping or rotating, but are there anyway I
>can completely stop ad traffic from their ad servers to my LAN?
>

>thanks very much.
>


--
+---------------------+-----------------------------------------+
| dr...@megacity.org | "Conan! What is best in life?" |
| Derek J. Balling | "To crush your enemies, see them |
| | driven before you, and to hear the |
| | lamentation of their women!" |
+---------------------+-----------------------------------------+


Marc C Storck

unread,
Jun 23, 2001, 1:04:46 PM6/23/01
to

what doubleclick does is called DNS-based load-balancing!
you should reject every ip, or use squid and block the word ad, ads,
doubleclick etc

Marc

BTW: THIS IS NOT A BIND ISSUE!!! NEXT TIME CONTACT THE SQUID OR IP_FRWD (OR
WHATEVER)
DISCUSS-LISTS!

Martin, Kevin T

unread,
Jun 23, 2001, 3:59:33 PM6/23/01
to

What about blocking by domain? Can you do this on Linux?

kevin

-----Original Message-----
From: Derek Balling [mailto:dr...@megacity.org]
Sent: Saturday, June 23, 2001 10:56 AM
To: z...@rockstone.com; bind-...@isc.org
Cc: z...@rockstone.com
Subject: Re: try to block traffic from ad.doubleclick.net, but dns
record hops.

Isn't this a problem better solved by attacking it at the source....
finding the NS-set for "doubleclick.net" and configuring bind to
treat their responses as bogus? :-)

D

At 10:16 AM -0400 6/23/01, z...@rockstone.com wrote:

z...@rockstone.com

unread,
Jun 23, 2001, 5:05:10 PM6/23/01
to

Success!
It seems I have effectively blocked junk ads traffic
to my LAN by adding following to the ipchains on Linux
gateway box:

## reject ads from doubleclick.net

ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 208.184.29.0/24 -j REJECT
ipchains -A output -d 208.211.255.0/24 -j REJECT
ipchains -A output -d 209.67.38.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 206.65.183.0/24 -j REJECT
ipchains -A output -d 206.67.38.0/24 -j REJECT
ipchains -A output -d 208.32.211.0/24 -j REJECT
ipchains -A output -d 205.138.3.0/24 -j REJECT
ipchains -A input -s 199.95.207.0/24 -j REJECT
ipchains -A input -s 199.95.208.0/24 -j REJECT
ipchains -A input -s 208.184.29.0/24 -j REJECT
ipchains -A input -s 208.211.255.0/24 -j REJECT
ipchains -A input -s 209.67.38.0/24 -j REJECT
ipchains -A input -s 204.253.104.0/24 -j REJECT
ipchains -A input -s 206.65.183.0/24 -j REJECT
ipchains -A input -s 206.67.38.0/24 -j REJECT
ipchains -A input -s 208.32.211.0/24 -j REJECT

### reject ads from AOL

cking ads.web.aol.com
ipchains -A output -d 205.188.140.249 -j REJECT
ipchains -A output -d 205.188.140.185 -j REJECT
ipchains -A output -d 152.163.180.24 -j REJECT
ipchains -A output -d 152.163.180.56 -j REJECT
ipchains -A output -d 64.12.184.25 -j REJECT
ipchains -A output -d 64.12.184.57 -j REJECT
ipchains -A output -d 64.12.184.89 -j REJECT
ipchains -A output -d 64.12.184.121 -j REJECT
ipchains -A input -s 205.188.140.249 -j REJECT
ipchains -A input -s 205.188.140.185 -j REJECT
ipchains -A input -s 152.163.180.24 -j REJECT
ipchains -A input -s 152.163.180.56 -j REJECT
ipchains -A input -s 64.12.184.25 -j REJECT
ipchains -A input -s 64.12.184.57 -j REJECT
ipchains -A input -s 64.12.184.89 -j REJECT
ipchains -A input -s 64.12.184.121 -j REJECT

Georg Kreyerhoff

unread,
Jul 1, 2001, 3:05:03 PM7/1/01
to

z...@rockstone.com wrote:
>
> Success!
> It seems I have effectively blocked junk ads traffic
> to my LAN by adding following to the ipchains on Linux
> gateway box:
>
> ## reject ads from doubleclick.net
>
> ipchains -A output -d 199.95.207.0/24 -j REJECT
>[...]

>
> > What about blocking by domain? Can you do this on Linux?
> >

not with ipchains-rules. However, you can block traffic on
domain-name based rules if you set up a squid-proxy-cache
and force your clients to use the proxy by blocking direct
http-access with ip-chains.

Georg


0 new messages