Discussion:
try to block traffic from ad.doubleclick.net, but dns record hops.
z***@rockstone.com
2001-06-23 14:16:36 UTC
Permalink
I wonder if anyone could provide share your idea, I have this
issue: I have a linux box as a gateway/firewall for internal LAN,
I have noticed http browsing contains too much junk traffic to
the advertisement servers such as 'ad.doubleclick.net', eg. when you
browse www.cnn.com, or www.marketwatch.com, etc, you can notice
such links from the webpage source.
Because I am concerned over the rumors that they tend to snoop
on user's pc or on users using java or cookies, to save network
bandwidth, I am trying to establish rules with ipchains rules
to reject traffic from those ad servers.

Of course, first, I need to find out their ad server ip addresses,
so I did this: ping ad.doubleclick.net, I got:

PING gd3.doubleclick.net (208.32.211.200) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec

Now I had found its ip address, so I added to the ipchains rule:
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT

but ads keeps coming, so I did again ping to ad.doubleclick.net,
this time I got reply from a different ip,
PING gd3.doubleclick.net (208.184.29.130) from 192.168.1.92 :
56(84) bytes of data.
64 bytes from 208.184.29.130.doubleclick.net (208.184.29.130):
icmp_seq=0 ttl=11 5 time=87.732 msec

Now I got different ip address for the same host name,
and this seems repeat endless.

Then I did nslookup every few minutes, and it resolves to all
different ip addresses for the same host name ad.doubleclick.net:

208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
....
#nslookup ad.doubleclick.net

ad.doubleclick.net canonical name = gd3.doubleclick.net.
Name: gd3.doubleclick.net
Address: 209.67.38.104
Name: gd22.doubleclick.net
Address: 208.184.29.130
gd22.doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53

I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?

thanks very much.
Michael Kjorling
2001-06-23 14:56:51 UTC
Permalink
This really isn't anything strange - they're using a CNAME RR for
ad.doubleclick.net, and a low TTL on the corresponding A RRs. Looking
it up with dig gives data which seems to support that assumption
(cutting to save people here from too much junk, you can look it up
yourself if you like):

$ dig ad.doubleclick.net a | grep -v ^\; | egrep -v '^ *$' | grep A
ad.doubleclick.net. 840 IN CNAME gd3.doubleclick.net.
gd3.doubleclick.net. 10 IN A 204.253.104.80
$

While this is not a BIND question, this might solve your problem. If
not, I see no other obvious solution than adding all the IPs manually.

# ipchains -A input -s gd3.doubleclick.net -j DENY
# ipchains -A output -d gd3.doubleclick.net -j DENY


Michael Kjörling
Post by z***@rockstone.com
I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?
- --
Michael Kjörling - ***@kjorling.com - PGP: 8A70E33E
"We must be the change we wish to see" (Mahatma Gandhi)

^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/
James A Griffin
2001-06-23 15:31:53 UTC
Permalink
Post by z***@rockstone.com
I wonder if anyone could provide share your idea, I have this
issue: I have a linux box as a gateway/firewall for internal LAN,
I have noticed http browsing contains too much junk traffic to
the advertisement servers such as 'ad.doubleclick.net', eg. when you
browse www.cnn.com, or www.marketwatch.com, etc, you can notice
such links from the webpage source.
[snip]

There are several ways to use your local name server to 'fake' domains
and send all *.doubleclick.net to 127.0.0.1. Look for such suggestion
to be given on this thread.

However, I like the junkbuster proxy (www.junkbuster.com) as it deals
with all sorts of 'privacy' issues. Check it out. There are vesions
for the Un*x family (source and binaries) and other operating systems as
well.

Regards,
Jim
Derek Balling
2001-06-23 15:55:33 UTC
Permalink
Isn't this a problem better solved by attacking it at the source....
finding the NS-set for "doubleclick.net" and configuring bind to
treat their responses as bogus? :-)

D
Post by z***@rockstone.com
I wonder if anyone could provide share your idea, I have this
issue: I have a linux box as a gateway/firewall for internal LAN,
I have noticed http browsing contains too much junk traffic to
the advertisement servers such as 'ad.doubleclick.net', eg. when you
browse www.cnn.com, or www.marketwatch.com, etc, you can notice
such links from the webpage source.
Because I am concerned over the rumors that they tend to snoop
on user's pc or on users using java or cookies, to save network
bandwidth, I am trying to establish rules with ipchains rules
to reject traffic from those ad servers.
Of course, first, I need to find out their ad server ip addresses,
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT
but ads keeps coming, so I did again ping to ad.doubleclick.net,
this time I got reply from a different ip,
56(84) bytes of data.
icmp_seq=0 ttl=11 5 time=87.732 msec
Now I got different ip address for the same host name,
and this seems repeat endless.
Then I did nslookup every few minutes, and it resolves to all
208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
....
#nslookup ad.doubleclick.net
ad.doubleclick.net canonical name = gd3.doubleclick.net.
Name: gd3.doubleclick.net
Address: 209.67.38.104
Name: gd22.doubleclick.net
Address: 208.184.29.130
Post by z***@rockstone.com
gd22.doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53
I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?
thanks very much.
--
+---------------------+-----------------------------------------+
| ***@megacity.org | "Conan! What is best in life?" |
| Derek J. Balling | "To crush your enemies, see them |
| | driven before you, and to hear the |
| | lamentation of their women!" |
+---------------------+-----------------------------------------+
Marc C Storck
2001-06-23 16:29:21 UTC
Permalink
what doubleclick does is called DNS-based load-balancing!
you should reject every ip, or use squid and block the word ad, ads,
doubleclick etc

Marc

BTW: THIS IS NOT A BIND ISSUE!!! NEXT TIME CONTACT THE SQUID OR IP_FRWD (OR
WHATEVER)
DISCUSS-LISTS!

----- Original Message -----
From: <***@rockstone.com>
To: <bind-***@isc.org>
Cc: <***@rockstone.com>
Sent: Saturday, June 23, 2001 4:16 PM
Subject: try to block traffic from ad.doubleclick.net, but dns record hops.
Post by z***@rockstone.com
I wonder if anyone could provide share your idea, I have this
issue: I have a linux box as a gateway/firewall for internal LAN,
I have noticed http browsing contains too much junk traffic to
the advertisement servers such as 'ad.doubleclick.net', eg. when you
browse www.cnn.com, or www.marketwatch.com, etc, you can notice
such links from the webpage source.
Because I am concerned over the rumors that they tend to snoop
on user's pc or on users using java or cookies, to save network
bandwidth, I am trying to establish rules with ipchains rules
to reject traffic from those ad servers.
Of course, first, I need to find out their ad server ip addresses,
56(84) bytes of data.
64 bytes from 208.32.211.200: icmp_seq=0 ttl=243 time=84.309 msec
ipchains -A input -s 208.32.211.200 -j REJECT
ipchains -A output -d 208.32.211.200 -j REJECT
but ads keeps coming, so I did again ping to ad.doubleclick.net,
this time I got reply from a different ip,
56(84) bytes of data.
icmp_seq=0 ttl=11 5 time=87.732 msec
Now I got different ip address for the same host name,
and this seems repeat endless.
Then I did nslookup every few minutes, and it resolves to all
208.184.29.70
204.253.104.45
208.184.29.110
206.65.183.110
204.253.104.95
204.253.104.30
208.184.29.50
209.67.38.106
208.184.29.70
206.65.183.80
209.67.38.106
209.67.38.102
204.253.104.45
204.253.104.30
208.32.211.200
208.184.29.130
206.65.183.155
208.184.29.50
....
#nslookup ad.doubleclick.net
ad.doubleclick.net canonical name = gd3.doubleclick.net.
Name: gd3.doubleclick.net
Address: 209.67.38.104
Name: gd22.doubleclick.net
Address: 208.184.29.130
Post by z***@rockstone.com
gd22.doubleclick.net
Server: 127.0.0.1
Address: 127.0.0.1#53
I don't quite understand the mechanism which doubleclik have deployed
to make their nslookup hopping or rotating, but are there anyway I
can completely stop ad traffic from their ad servers to my LAN?
thanks very much.
Loading...