Firewall Wizards mailing list archives

Re: Re: Blocking IM via DNS

From: m p <sumirati () yahoo de>
Date: Tue, 30 Oct 2001 15:52:31 +0100 (CET)

 --- Scott Gifford <sgifford () tir com> schrieb: > Simeon Johnston
<simeonuj () eetc com> writes:

I have asked this before and have blocked AIM and others but am
wondering if there is an easier way?  In iptables (I think you can
do this) I could block by URL.  But that is another rule and DNS
lookup that the FW has to do.  Why not change those addresses on the
internal DNS to point to something bogus?  Like login.oscar.aol.com
for AIM would point to a bogus internal address.  Would this work?
That way the ports wouldn't matter.  I would just need to find out
what URL the IM is looking for.


That will make it more difficult, but not impossible, for users to use
AIM.  They could easily bypass your restrictions by:
 
   1. Changing the hostname that their AIM client users.  Not sure if
      this is possible with the stock client, but I know there are
      alternate clients out there that can do this.


I agree with that point.

An idea: What looks the initial paket of AIM (or another IM) like? Is this
paket (or the sequence of the first N pakets) unique? If that is the case
someone might write a module for squid/<name of your favorite
proxy>/Application Level Gateway that looks for the first N pakets and
blocks/ends the connection - no one have to know any URL or IP.

Any comments on this one? 
(Beside that you have to update this filter for every new version thrown to the
users.)

   2. Using somebody else's DNS server.  If they simply change their
      DNS server to somebody else's that's willing to answer recursive
      queries for them (many are), they won't see your restrictions
      at all.

   3. Putting the IP address in their WINDOWS\hosts file, the
      equivalent of UNIX's /etc/hosts file.  That IP address will be
      used instead of asking your DNS server.


For 2. + 3.:

If you have configured your DNS servers in that way, that the internal
addresses can be looked up by everyone and the proxy (and special computers
i.e. IDS, Firewalls, Routers, Admin stations of course ;)) is the only one
allowed to resolve an external ip this attempts will fail.

Hope that helps

Marc


__________________________________________________________________

Gesendet von Yahoo! Mail
http://mail.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Blocking IM via DNS Simeon Johnston (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)
  - Re: Re: Blocking IM via DNS m p (Oct 30)
- RE: Blocking IM via DNS robert_david_graham (Oct 30)
  - Re: Blocking IM via DNS raf (Oct 31)
    - Re: Blocking IM via DNS Thomas Lussnig (Oct 31)
  - RE: Blocking IM via DNS Kenneth Porter (Oct 31)
- <Possible follow-ups>
- RE: Blocking IM via DNS d'Ambly, Jeff (Oct 30)