Once upon a time, John Levine <johnl@iecc.com> said:
I realize it's not a technical problem, although I suspect there are some technical twiddles that could help, e.g., persuading Microsoft to put the update servers in their own ASN to make it easier to put them in a sandbox. And I realize that Microsoft's combination of arrogance and naivete can make them painful to deal with.
$ dig download.windowsupdate.com ;download.windowsupdate.com. IN A download.windowsupdate.com. 3411 IN CNAME main.dl.wu.akadns.net. main.dl.wu.akadns.net. 111 IN CNAME dom.dl.wu.akadns.net. dom.dl.wu.akadns.net. 111 IN CNAME dl.wu.ms.edgesuite.net. dl.wu.ms.edgesuite.net. 8080 IN CNAME a26.ms.akamai.net. a26.ms.akamai.net. 20 IN A 216.180.86.39 a26.ms.akamai.net. 20 IN A 216.180.86.37 $ If you have Akamai servers, the IPs will be on your network (and of course shared with many other sites). You'd have to limit access with a limited DNS server (since few will use or even know IPs to visit) that only gives out DNS for certain hosts/domains. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.