PING gd3.doubleclick.net (208.32.211.200) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec
Now I had found its ip address, so I added to the ipchains rule:
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT
but ads keeps coming, so I did again ping to ad.doubleclick.net,
this time I got reply from a different ip,
PING gd3.doubleclick.net (208.184.29.130) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.184.29.130.doubleclick.net (208.184.29.130):
icmp_seq=0 ttl=11 5 time=87.732 msec
Now I got different ip address for the same host name,
and this seems repeat endless.
Then I did nslookup every few minutes, and it resolves to all
different ip addresses for the same host name ad.doubleclick.net:
208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
....
#nslookup ad.doubleclick.net
ad.doubleclick.net canonical name = gd3.doubleclick.net.
Name: gd3.doubleclick.net
Address: 209.67.38.104
Name: gd22.doubleclick.net
Address: 208.184.29.130
> gd22.doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53
I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?
thanks very much.
This really isn't anything strange - they're using a CNAME RR for
ad.doubleclick.net, and a low TTL on the corresponding A RRs. Looking
it up with dig gives data which seems to support that assumption
(cutting to save people here from too much junk, you can look it up
yourself if you like):
$ dig ad.doubleclick.net a | grep -v ^\; | egrep -v '^ *$' | grep A
ad.doubleclick.net. 840 IN CNAME gd3.doubleclick.net.
gd3.doubleclick.net. 10 IN A 204.253.104.80
$
While this is not a BIND question, this might solve your problem. If
not, I see no other obvious solution than adding all the IPs manually.
# ipchains -A input -s gd3.doubleclick.net -j DENY
# ipchains -A output -d gd3.doubleclick.net -j DENY
Michael Kjörling
On Jun 23 2001 10:16 -0400, z...@rockstone.com wrote:
> I don't quite understand the mechanism which doubleclik have deployed
> to make their nslookup hopping or rotating, but are there anyway I
> can completely stop ad traffic from their ad servers to my LAN?
- --
Michael Kjörling - mic...@kjorling.com - PGP: 8A70E33E
"We must be the change we wish to see" (Mahatma Gandhi)
^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7NK48KqN7/Ypw4z4RApgGAKCycZjVOXnOynnFiyNm0Ylq5VPhMgCfRDBm
1IsiS2b7RsZudRoUXTyiDJ8=
=zkeJ
-----END PGP SIGNATURE-----
There are several ways to use your local name server to 'fake' domains
and send all *.doubleclick.net to 127.0.0.1. Look for such suggestion
to be given on this thread.
However, I like the junkbuster proxy (www.junkbuster.com) as it deals
with all sorts of 'privacy' issues. Check it out. There are vesions
for the Un*x family (source and binaries) and other operating systems as
well.
Regards,
Jim
D
At 10:16 AM -0400 6/23/01, z...@rockstone.com wrote:
>I wonder if anyone could provide share your idea, I have this
>issue: I have a linux box as a gateway/firewall for internal LAN,
>I have noticed http browsing contains too much junk traffic to
>the advertisement servers such as 'ad.doubleclick.net', eg. when you
>browse www.cnn.com, or www.marketwatch.com, etc, you can notice
>such links from the webpage source.
>I don't quite understand the mechanism which doubleclik have deployed
>to make their nslookup hopping or rotating, but are there anyway I
>can completely stop ad traffic from their ad servers to my LAN?
>
>thanks very much.
>
--
+---------------------+-----------------------------------------+
| dr...@megacity.org | "Conan! What is best in life?" |
| Derek J. Balling | "To crush your enemies, see them |
| | driven before you, and to hear the |
| | lamentation of their women!" |
+---------------------+-----------------------------------------+
Marc
BTW: THIS IS NOT A BIND ISSUE!!! NEXT TIME CONTACT THE SQUID OR IP_FRWD (OR
WHATEVER)
DISCUSS-LISTS!
kevin
-----Original Message-----
From: Derek Balling [mailto:dr...@megacity.org]
Sent: Saturday, June 23, 2001 10:56 AM
To: z...@rockstone.com; bind-...@isc.org
Cc: z...@rockstone.com
Subject: Re: try to block traffic from ad.doubleclick.net, but dns
record hops.
Isn't this a problem better solved by attacking it at the source....
finding the NS-set for "doubleclick.net" and configuring bind to
treat their responses as bogus? :-)
D
At 10:16 AM -0400 6/23/01, z...@rockstone.com wrote:
## reject ads from doubleclick.net
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A output -d 208.184.29.0/24 -j REJECT
ipchains -A output -d 208.211.255.0/24 -j REJECT
ipchains -A output -d 209.67.38.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A output -d 206.65.183.0/24 -j REJECT
ipchains -A output -d 206.67.38.0/24 -j REJECT
ipchains -A output -d 208.32.211.0/24 -j REJECT
ipchains -A output -d 205.138.3.0/24 -j REJECT
ipchains -A input -s 199.95.207.0/24 -j REJECT
ipchains -A input -s 199.95.208.0/24 -j REJECT
ipchains -A input -s 208.184.29.0/24 -j REJECT
ipchains -A input -s 208.211.255.0/24 -j REJECT
ipchains -A input -s 209.67.38.0/24 -j REJECT
ipchains -A input -s 204.253.104.0/24 -j REJECT
ipchains -A input -s 206.65.183.0/24 -j REJECT
ipchains -A input -s 206.67.38.0/24 -j REJECT
ipchains -A input -s 208.32.211.0/24 -j REJECT
### reject ads from AOL
cking ads.web.aol.com
ipchains -A output -d 205.188.140.249 -j REJECT
ipchains -A output -d 205.188.140.185 -j REJECT
ipchains -A output -d 152.163.180.24 -j REJECT
ipchains -A output -d 152.163.180.56 -j REJECT
ipchains -A output -d 64.12.184.25 -j REJECT
ipchains -A output -d 64.12.184.57 -j REJECT
ipchains -A output -d 64.12.184.89 -j REJECT
ipchains -A output -d 64.12.184.121 -j REJECT
ipchains -A input -s 205.188.140.249 -j REJECT
ipchains -A input -s 205.188.140.185 -j REJECT
ipchains -A input -s 152.163.180.24 -j REJECT
ipchains -A input -s 152.163.180.56 -j REJECT
ipchains -A input -s 64.12.184.25 -j REJECT
ipchains -A input -s 64.12.184.57 -j REJECT
ipchains -A input -s 64.12.184.89 -j REJECT
ipchains -A input -s 64.12.184.121 -j REJECT
not with ipchains-rules. However, you can block traffic on
domain-name based rules if you set up a squid-proxy-cache
and force your clients to use the proxy by blocking direct
http-access with ip-chains.
Georg