views:

567

answers:

9

In particular I'm looking for an IP address that I can put in my hosts file that will black-hole a given DNS name. Right now I'm using 127.0.0.1 but that would start acting odd if I installed any services.

How can I prevent a 3rd party program from contacting a given server?

+2  A: 

Addresses 127.0.0.0 to 127.255.255.255 can be used for loopback connections.

So have your httpd listening on 127.0.0.1 and use any of the others for the blacklist.

awharrier
doesn't work as anything in 127.0.0.0/8 will get the local interface and I want an address that won't get anything at all
BCS
This does not answer the question
BCS
+4  A: 

RFC-3330 seems to be the goldmine

The best option seems to be:

192.0.2.0/24 - This block is assigned as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet.

BCS
Ahh, okay. That was what you were looking for.
Steven Behnke
A: 

I use denyhosts for ssh. http://denyhosts.sourceforge.net/ It attempts to block known malicious sources. Is this what you're talking about?

Steven Behnke
No, what I want is to prevent my computer to connecting to a given domain (add servers for instance)
BCS
+1  A: 

If you use any of the private IP address ranges (10.whatever, 192.168.whatever) that you aren't connected to that should work.

dulaneyb
Yes, but with DHCP how do you know before you connect what range you will be using.
BCS
+3  A: 

I've used 0.0.0.0 in my hosts file to block ad web sites. Not sure if there are any side affects?!?!

DJ
+3  A: 

I see that you've correctly found that 192.0.2.0/24 is reserved for testing, and won't appear on the Internet.

However if your local area network relies on a default route to get to the rest of the Internet then you'll still be sending this traffic out of your network towards your ISP.

Best case is that your ISP will send back ICMP_NET_UNREACHABLE errors and your applications will notice those and act accordingly. Worst case is that the traffic is completely blackholed, at which point your applications will sit around until the connections timeout.

The correct strategy for avoiding this depends on your OS and local network configuration. On a Linux system I'd just add a route for that /24 with "reject" as a target.

Alnitak
"reject": I like it ( XP :( )
BCS
+1  A: 

One advantage of using 127.0.0.1 is that an attempt to contact the server will return immediately with failure (as long as you're not running a local server, of course). If you use any other address that does not refer to a specific machine, such as 192.0.2.x, then attempts to connect to a server at that address will take some time to time out (at least a minute or more).

Greg Hewgill
A: 

0.0.0.0 ( as another poster put ) shouldn't be used - it has a distinct meaning that isn't "nothing" and it isn't reserved for what in most cases is a dead-end. As for BCS's comment to dulaneyb about DCHP and private ranges - a private range is a private range. If you're kicking to your private range, then you're routing to an empty slot. If you're kicking to one of the other private ranges, then an upstream device should drop it.

Serious
+3  A: 

Actually the loopback IP 127.0.0.1 is ideal for ad blocking. If you run Apache anyway, you setup a virtual server that returns 404 for requests on 127.0.0.1. That way your browser is not constantly waiting for the connect to an unknown host to timeout. All those ad requests return instantly, freeing up resources in your browser to get the actual page content.

jmucchiello
As I haven't seen anything better you get the big green check mark. OTOH that still doesn't cover the case where you want to have a service on 127.0.0.1 OTOH (that makes 3 right?) you can still use your own real IP.
BCS
And you can use a different port.
jmucchiello