It’s not a question of IP resolution. The filtering is being performed on the domain name prior to passing it for DNS resolution.
Below is a more recent posting from ‘Panic’. I assume if you have this capability for “Blocked Network Zones” you can also use it in application rules where the “Host” option is given?
panic
Global Moderator
Comodo’s Hero
Offline
Posts: 10367
Orgels 2nd Law : Evolution is cleverer than you.
Re: CIS4 - How to blacklist wildcard word in firewall (like porn site, sex & drug)?
« Reply #3 on: April 09, 2010, 04:25:09 PM »
Quote from: azwarain on April 09, 2010, 01:44:22 AM
Hi,
I just want to know, is there in anyway I can make a blacklisted of block website that contain a wording like drugs, sex, naked, ■■■■■ etc. I’ve checked the “My Blocked Network Zones” but it only allowable to block certain IP, MAC and Host.
thanks.
You can use “sex” as a host name in a blocked website. Blocked sites support wildcard entries.
Correct - both those Yahoo domains would be allowed.
I am playing around with a so-so attempt to allow Win Update web sites by domain name. Yes, I realize that it will “holes” in that if a malicous url contained “microsoft” or “windowsupdate” in it would be allowed, but I look at risk percentage. We are talking about something on your PC, dialing-out using svchost.exe, using TCP and ports 80 or 443, that has “windowsupdate” or “microsoft” in it’s url. I think the odds of that are fairly low. It is also more secure that allowing svchost unrestricted access to port 80 or 443 which is the case with most firewalls.
It would be beat keeping a table of Win Updates IP addresses constantly updated.
Will post back on my findings.
BTW - I think Comodo would be doing their users a great serviice if they resolved this Win Upates “hole” once and for all. It is using the “cloud” these days for many functions. Add a cloud lookup for the appropriate Win Update server to use.
Unfortunately, I don’t believe a filter like this will work because the ‘*’ is an unrecognisable character as far as client-side resolution of domain names is concerned. You’ll find, when you try to enter any combination of ‘name + *’ it will fail, in fact it won’t even generate a log entry, even if logging is enabled on the rule. The only elements allowed in the ‘host name’ field are, for example:
etc.
If you want to restrict svchost to Windows updates and other updater services, such as Adobe, you’ll have to use the IP blocks, which is a better option than domain names, as domain names can change. In addition to the Windows Update servers, you’ll also have to cater for AKAMAI and other CDNs, who MS and many others use for hosting.
For the server urls or the Windows update servers you can take a look through the WSUS Deployment Guide Not all the urls listed are necessary for domestic updates, but you can resolve the names as find what you need. I personally use the list in the image below, and of course the rather extensive range of AKAMAI blocks I’ve posted elsewhere.
Anyway, as I mentioned before, it’s quick enough to create a rule using wildcards to see if it works, or not.