Pls Suggest a software firewall that supports rules based on DNS names

Discussion in 'other firewalls' started by Basementjack, Jun 22, 2009.

Thread Status:
Not open for further replies.
  1. Basementjack

    Basementjack Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    2
    I am looking for a software firewall for windows that supports setting rules/filters based on DNS names. I have not found such a thing on the PC side.

    Example:
    Badwebsite.com has an adress pool of 50 IP addresses.
    I want to block all 50 at once with an entry like 'block all from badwebsite.com'

    If someone could recommend any firewall software for windows that has this capability that would be awesome - free or paid - either is fine.

    Thanks!
     
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Welcome at wilders.

    there are firewalls that can do it.
    Comodo 2 and 3 support it. (although in comodo 2 did not always worked).
    Look'n Stop should support it.
    Pctools support it if my memory does not fail me.
    Online armor should support this too since they added a blocklist (I have not tested the new version)
    In Outpost Free you can do it at the applications rules and in the global rules.
    In Outpost Pro and Outpost Internet Security you can do this both in the applications rules, in the global rules and in the IP blocklist.

    there are plenty of choices out there, I only mentioned some that passed my mind.

    Panagiotis

    edit:Almost forgot, you can also do it through the host file of windows.(it will work only if a program asks to connect to 'badwebsite' and does not use the ip directly.)
     
    Last edited: Jun 22, 2009
  3. Basementjack

    Basementjack Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    2
    Thanks Panagiotis!

    I'll check these out! I had heard of Comodo, but not the others...

    Is the "PC Tools" firewall in any way related to the old PC Tools software from back in the MSDOS days?

    - Jack
     
  4. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    You are welcome Jack. :)

    Pay attention that you should check, if it works correctly. (For example PCtools 3.x had a bug and when I used it in the applications rules it did not work as it should.)

    I do not think they are related with the old company. (but I could be mistaken)

    Panagiotis
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm afraid to perform this task absolutely accurately you need that firewall was able to parse DNS requests, something like SNORT-like rules. Then there would not be a need to permanently resolve domain name to a set of IPs (it should be done permanently because IP addresses set can change all the time. for example there are the web sites that are resolved differently every time you perform a DNS request, though this doesn't happen too often). Also take in account, that to process domain mask (like *.badwebsite.com) you also need to parse DNS requests. There is no way to resolve the masks.

    I'm not sure, but it seems either jetico or LnS can do SNORT. But you'd beter ask Stem about it.
     
  6. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Correct.
    But in Outpost Pro/Security you can also add the domain name at the "blocked content" of the "web control" component and the connection will be blocked, even if the ip changes. :D

    Panagiotis
     
  7. benton4

    benton4 Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    158
    Location:
    Oregon
    You know your firewalls! Thanks for the info.
     
  8. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The same in OA, you can block web content domain-dependent and with the domain masks, but this only works for the web, while SNORT works for everything.
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Glad I could help. :)

    Panagiotis
     
  10. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    This is not what I meant. I meant that in Outpost you can put the domain at the 'ID protection' (as a password or a credit card info) and Outpost will block the outgoing connection as long as the packet is not encrypted.

    And why would anyone want to use snort for blocking dns requests? Using the host file will block the connection. No need to use deep packet inspection for this. ;)
    But as I wrote earlier, it will not help if a program tries to connect to the IP directly if no dns resolving is involved (both 'host' file and Snort will not block the connection in this case).

    Panagiotis
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    to be able to process the masks, for example "block *.microsoft.com" :)

    Yes, this is why i personally regard the whole task as crazy and illogical :)
     
  12. nhamilton

    nhamilton Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    61
    for out going packets, it is not to bad for a firewall to support this, as this Address would have likely been resolved to get the IP. With that resolution the firewall will know that IP equals that domain name.

    For incoming it is harder.
    You could try reverse DNS for any incoming IP that has not been resolved. (but this would kill you network performace.
    The other solution is that the FW will resolve the DNS to ip during start up and use those associations. The problem with this approach is if you have a reloving IP to name, so what a name resolves to now will be different in 5 minutes. If the DNS server gives all the possible solutions then this does work.
     
Loading...
Thread Status:
Not open for further replies.