Firewall Wizards mailing list archives

Re: Blocking IM via DNS

From: raf <raf () raf org>
Date: Wed, 31 Oct 2001 17:42:41 +1100

robert_david_graham wrote:

You are asking the general question "Can I use my DNS server as a firewall?"

The general answer is "yes" -- as long as your purpose is to discourage the
"average" user. For most people, DNS is some sort of routing protocol that
routes names to IP addresses. For most people in the world, when DNS goes
down, then the Internet goes down. Knowledgeable users will simply use the
raw IP address (/etc/hosts) or change their DNS server. Therefore, you
should think of it as something that "discourages" certain behaviors rather
than "blocks" access. (Remember: really knowledgeable users can get around
any possible filtering -- such as routing AIM through a SOCKS connection
back to their home machine).

A similar item you might want to discourage with a "DNS firewall" is pr0n.
If you browse your DNS cache you'll probably find a lot of cached access to
porn sites. You can therefore discourage access to these sites by creating a
static mapping to one of your internal machines. This is cool for a couple
of reasons. First, you are not "blocking" access, only discouraging it, so
you can avoid being called "big brother". Second, by redirecting to a
web-server, you can create appropriate warning messages. A nice one would be
"The network operations people can see your activities. If you continue to
access such sites, we might be forced to notify your manager."

You may also find this this can save bandwidth and increase privacy. For
example, add an entry for "*.doubleclick.net" that points somewhere else.
This will prevent user's machines from downloading advertisement graphics as
well as prevent tracking of user's activities by DoubleClick through
webbugs. (Yes, you can use "*" as a DNS name in BIND and Microsoft DNS
servers). I have about 30 such entries on my personal DNS server to block
advertisements.


junkbuster is a much more powerful way of doing this.

raf

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Blocking IM via DNS Simeon Johnston (Oct 30)
- Re: Blocking IM via DNS Scott Gifford (Oct 30)
  - Re: Re: Blocking IM via DNS m p (Oct 30)
- RE: Blocking IM via DNS robert_david_graham (Oct 30)
  - Re: Blocking IM via DNS raf (Oct 31)
    - Re: Blocking IM via DNS Thomas Lussnig (Oct 31)
  - RE: Blocking IM via DNS Kenneth Porter (Oct 31)
- <Possible follow-ups>
- RE: Blocking IM via DNS d'Ambly, Jeff (Oct 30)