On Fri, Nov 27, 2009 at 12:32, Eero Volotinen eero.volotinen@iki.fi wrote:
Without debating the merits of such claims, how would one proceed to block internal network access to specific domain names using CentOS?
Using transparent proxy server is best way to block this kind of services. You can use squid package to setup transparent proxy server.
I agree with the parent poster. Squid (or any other advanced proxy server) is probably the best way to deal with this. But for the sake of argument--say, in case you can't use a proxy for some reason, IPTables has some *limited* application, here.
IPTables will accept a DNS host/domain name in place of an IP address in an 'iptables' command. But the rule it creates doesn't actually use the DNS name--it just performs a lookup when you add the rule, and then adds a rule for whatever IP address it found.
If Facebook only operated a single web server, and if the DNS hostname 'www.facebook.com' always resolved to that particular IP address, this would work OK. You could either specifiy 'www.facebook.com' in your IPTables blocking rule, or look up the IP address manually and specify it directly in your rule.
The unfortunate reality is that FB operates dozens (maybe hundreds) of web servers, and any given browser's HTTP request to 'www.facebook.com' might be answered by any one of those web servers. And they don't use a straightforward, static DNS mechanism. The 'facebook.com' DNS servers will respond differently depending on where the request originates and (I presume) on the current load status of their global web server pool. So, under normal conditions, clients will usually be directed to the closest (lowest-latency) web server. And if your closest web server's load rises high enough, you be instead directed to a further-away, less busy server.
I just took a few samples from a collection of servers I operate that are scattered throughout the continental US, over the course of several minutes. I see very little stability in the DNS responses, but it appears that the pool is pretty small.
You could write a short script that runs from 'cron' every few minutes and performs a DNS lookup for 'www.facebook.com', and adds the result to a running list of FB IP addresses, and then adds another IPTables blocking rule anytime it finds a new IP. This is similar to how some popular anti-SSH-dictionary-attack-bot scripts operate. It's not perfect, but it would be pretty effective, and it doesn't require much effort.
Honestly, though, you're probably better off using Squid. If I had the option, that's what I would do.
Good luck.
-Ryan