Does *word* Still Work For Domain Name Filtering?

Came across and old forum posting(2006) where the mod stated using word in effect filters host name by the “word.”

For example if I entered microsoft as a host name value in a firewall rule, any host name with microsoft in it would be allowed.

Next question. Can this notation be used as a qualifier? For example, entering .microsoft.com as a host name is the same as *.microsoft.com notation?

I don’t believe that’s ever been possible, as it would be impossible to match a wildcard domain name to an IP address.

It’s not a question of IP resolution. The filtering is being performed on the domain name prior to passing it for DNS resolution.

Below is a more recent posting from ‘Panic’. I assume if you have this capability for “Blocked Network Zones” you can also use it in application rules where the “Host” option is given?

panic
Global Moderator
Comodo’s Hero

Offline

Posts: 10367

Orgels 2nd Law : Evolution is cleverer than you.

Re: CIS4 - How to blacklist wildcard word in firewall (like porn site, sex & drug)?
« Reply #3 on: April 09, 2010, 04:25:09 PM »


Quote from: azwarain on April 09, 2010, 01:44:22 AM
Hi,

I just want to know, is there in anyway I can make a blacklisted of block website that contain a wording like drugs, sex, naked, ■■■■■ etc. I’ve checked the “My Blocked Network Zones” but it only allowable to block certain IP, MAC and Host.

thanks.

You can use “sex” as a host name in a blocked website. Blocked sites support wildcard entries.

Ewen :slight_smile:

It's not a question of IP resolution. The filtering is being performed on the domain name prior to passing it for DNS resolution.

If a domain name is filtered using a wildcard, which part of the domain name will then be used when a DNS query is performed? If I have, for example:

mail.yahoo.com - 98.139.241.94
yahoo.com - 87.248.122.122, 87.248.112.181

And a filter uses yahoo what will happen?

Anyway, it’s easy enough to try…

Ah, Radaghast, now we are in sync!

Correct - both those Yahoo domains would be allowed.

I am playing around with a so-so attempt to allow Win Update web sites by domain name. Yes, I realize that it will “holes” in that if a malicous url contained “microsoft” or “windowsupdate” in it would be allowed, but I look at risk percentage. We are talking about something on your PC, dialing-out using svchost.exe, using TCP and ports 80 or 443, that has “windowsupdate” or “microsoft” in it’s url. I think the odds of that are fairly low. It is also more secure that allowing svchost unrestricted access to port 80 or 443 which is the case with most firewalls.

It would be beat keeping a table of Win Updates IP addresses constantly updated.

Will post back on my findings.

BTW - I think Comodo would be doing their users a great serviice if they resolved this Win Upates “hole” once and for all. It is using the “cloud” these days for many functions. Add a cloud lookup for the appropriate Win Update server to use.

Unfortunately, I don’t believe a filter like this will work because the ‘*’ is an unrecognisable character as far as client-side resolution of domain names is concerned. You’ll find, when you try to enter any combination of ‘name + *’ it will fail, in fact it won’t even generate a log entry, even if logging is enabled on the rule. The only elements allowed in the ‘host name’ field are, for example:

etc.

If you want to restrict svchost to Windows updates and other updater services, such as Adobe, you’ll have to use the IP blocks, which is a better option than domain names, as domain names can change. In addition to the Windows Update servers, you’ll also have to cater for AKAMAI and other CDNs, who MS and many others use for hosting.

For the server urls or the Windows update servers you can take a look through the WSUS Deployment Guide Not all the urls listed are necessary for domestic updates, but you can resolve the names as find what you need. I personally use the list in the image below, and of course the rather extensive range of AKAMAI blocks I’ve posted elsewhere.

Anyway, as I mentioned before, it’s quick enough to create a rule using wildcards to see if it works, or not.

[attachment deleted by admin]

Thought I would report back my findings on this since I will be departing from this forum.

The xxxx notation does not work in the Host name for rules or Network Zones.