Firewall Wizards mailing list archives
RE: Blocking IM via DNS
From: "robert_david_graham" <robert_david_graham () yahoo com>
Date: Tue, 30 Oct 2001 11:51:39 -0500
You are asking the general question "Can I use my DNS server as a firewall?" The general answer is "yes" -- as long as your purpose is to discourage the "average" user. For most people, DNS is some sort of routing protocol that routes names to IP addresses. For most people in the world, when DNS goes down, then the Internet goes down. Knowledgeable users will simply use the raw IP address (/etc/hosts) or change their DNS server. Therefore, you should think of it as something that "discourages" certain behaviors rather than "blocks" access. (Remember: really knowledgeable users can get around any possible filtering -- such as routing AIM through a SOCKS connection back to their home machine). A similar item you might want to discourage with a "DNS firewall" is pr0n. If you browse your DNS cache you'll probably find a lot of cached access to porn sites. You can therefore discourage access to these sites by creating a static mapping to one of your internal machines. This is cool for a couple of reasons. First, you are not "blocking" access, only discouraging it, so you can avoid being called "big brother". Second, by redirecting to a web-server, you can create appropriate warning messages. A nice one would be "The network operations people can see your activities. If you continue to access such sites, we might be forced to notify your manager." You may also find this this can save bandwidth and increase privacy. For example, add an entry for "*.doubleclick.net" that points somewhere else. This will prevent user's machines from downloading advertisement graphics as well as prevent tracking of user's activities by DoubleClick through webbugs. (Yes, you can use "*" as a DNS name in BIND and Microsoft DNS servers). I have about 30 such entries on my personal DNS server to block advertisements.
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Simeon Johnston Sent: Thursday, August 30, 2001 12:45 PM To: IPTables; ipchains; firewall wizards; FOCUS-LINUX Subject: [fw-wiz] Blocking IM via DNS I have asked this before and have blocked AIM and others but am wondering if there is an easier way? In iptables (I think you can do this) I could block by URL. But that is another rule and DNS lookup that the FW has to do. Why not change those addresses on the internal DNS to point to something bogus? Like login.oscar.aol.com for AIM would point to a bogus internal address. Would this work? That way the ports wouldn't matter. I would just need to find out what URL the IM is looking for. Is this possible? IIRC all the IM need to login to some server. So blocking that server would be fairly easy w/ a false DNS lookup. That way I don't have to continually lookup the new ips of the URL and blocking the ports (which is impossible for some IM) would be unnecessary. And one of them uses the nntp protocols for communication. We use news servers so I can't block that. Any input? BTW, we have complete control over the internal DNS and lookups go to that computer. sim _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Blocking IM via DNS Simeon Johnston (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)
- Re: Re: Blocking IM via DNS m p (Oct 30)
- RE: Blocking IM via DNS robert_david_graham (Oct 30)
- Re: Blocking IM via DNS raf (Oct 31)
- Re: Blocking IM via DNS Thomas Lussnig (Oct 31)
- RE: Blocking IM via DNS Kenneth Porter (Oct 31)
- Re: Blocking IM via DNS raf (Oct 31)
- <Possible follow-ups>
- RE: Blocking IM via DNS d'Ambly, Jeff (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)