Firewall Wizards mailing list archives
Re: Re: Blocking IM via DNS
From: m p <sumirati () yahoo de>
Date: Tue, 30 Oct 2001 15:52:31 +0100 (CET)
--- Scott Gifford <sgifford () tir com> schrieb: > Simeon Johnston <simeonuj () eetc com> writes:
I have asked this before and have blocked AIM and others but am wondering if there is an easier way? In iptables (I think you can do this) I could block by URL. But that is another rule and DNS lookup that the FW has to do. Why not change those addresses on the internal DNS to point to something bogus? Like login.oscar.aol.com for AIM would point to a bogus internal address. Would this work? That way the ports wouldn't matter. I would just need to find out what URL the IM is looking for.That will make it more difficult, but not impossible, for users to use AIM. They could easily bypass your restrictions by: 1. Changing the hostname that their AIM client users. Not sure if this is possible with the stock client, but I know there are alternate clients out there that can do this.
I agree with that point. An idea: What looks the initial paket of AIM (or another IM) like? Is this paket (or the sequence of the first N pakets) unique? If that is the case someone might write a module for squid/<name of your favorite proxy>/Application Level Gateway that looks for the first N pakets and blocks/ends the connection - no one have to know any URL or IP. Any comments on this one? (Beside that you have to update this filter for every new version thrown to the users.)
2. Using somebody else's DNS server. If they simply change their DNS server to somebody else's that's willing to answer recursive queries for them (many are), they won't see your restrictions at all. 3. Putting the IP address in their WINDOWS\hosts file, the equivalent of UNIX's /etc/hosts file. That IP address will be used instead of asking your DNS server.
For 2. + 3.: If you have configured your DNS servers in that way, that the internal addresses can be looked up by everyone and the proxy (and special computers i.e. IDS, Firewalls, Routers, Admin stations of course ;)) is the only one allowed to resolve an external ip this attempts will fail. Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail http://mail.yahoo.de _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Blocking IM via DNS Simeon Johnston (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)
- Re: Re: Blocking IM via DNS m p (Oct 30)
- RE: Blocking IM via DNS robert_david_graham (Oct 30)
- Re: Blocking IM via DNS raf (Oct 31)
- Re: Blocking IM via DNS Thomas Lussnig (Oct 31)
- RE: Blocking IM via DNS Kenneth Porter (Oct 31)
- Re: Blocking IM via DNS raf (Oct 31)
- <Possible follow-ups>
- RE: Blocking IM via DNS d'Ambly, Jeff (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)