LM, yes, basically we are supplying a list of IP addresses through DNS that the user can use to block with their firewall, or allow if they want. What they do with the list is up to them. A rather unusual way to use DNS, but it works pretty good in most cases. Most of our lists are pretty big and have to be split up due to BIND limitations and TCP packet size limits.
Basically what we do is grab a source block list, http://www.dshield.org/ipsascii.html?limit=10 is what we use to get the DShield Top 10 list. We take that file, extract the IP addresses and add them to a file for our DNS server to load into a zone. A DNS query to one of our lists would return a list of IP addresses. Right now we are only using DNS to supply the list, other options may be used in the future.
C:>nslookup basic.threatstop.local
Server: dns-server
Address: xxx.xxx.xxx.5
Name: basic.threatstop.local
Addresses: 222.15.69.197, 59.33.242.22, 59.191.61.100, 61.129.33.118
61.163.6.124, 71.239.217.117, 80.144.87.169, 83.3.29.98, 88.235.66.185
89.86.131.147, 123.50.208.131, 125.152.17.236, 133.11.220.26, 195.254.134.18
202.113.96.15, 206.162.143.95, 211.99.150.188, 217.43.122.174, 219.132.73.68
221.2.231.10
A rule for iptables would look something like this:
iptables -A threatstop -s basic.threatstop.local -j DROP
This would actually create a separate rule for each IP address in the hostname. Some firewalls would actually work directly off the hostname, Netscreens for example, and keep the DNS query in it’s local cache until it expires. Other firewalls have to use a script to configure it, like iptables and PF since they create rules for each address and don’t know or care about the TTL for the hostname. We have to flush the chain and reload it every couple hours. Some firewalls will not work, like the one that comes with WinXP since you can only build rules using IP addresses.
Thanks
David