Blocking queries to certain domains

Nate Campi nate at wired.com
Sat Jan 12 19:59:45 UTC 2002


On Sat, Jan 12, 2002 at 11:21:43AM -0800, Pete Ehlke wrote:
> 
> * Ali Eghtessadi <ali at babcockbrown.com> said, on [020112 10:53]:
> > 
> > I would like to know if there is a way to block or drop queries to
> > certain domains? I am trying to block my users from using Yahoo
> > messanger. One way is to block the IP address of the servers in the
> > firewall but because there are so many servers it is not a good solution
> > for us. I thought, may be using dns to block the entire domain would be
> > an easier solution.
> > 
> You're trying to use a hammer to fry an egg. Hammers are good tools, but
> they don't fry eggs terribly well. Why isn't it possible for you to
> block the messenger servers in your firewall? YM isn't terribly *easy*
> to block, but it's by no means impossible, and there are plenty of
> resources on the web that show you exactly how to do it with a variety
> of firewalling products.

If Yahoo Messenger is like AIM, it can use a variety of proxies and
outbound ports. A gent at NFR said that when you let AIM autoconfigure
itself it basically does a portscan of the login.oscar.aol.com (or
whatever the name is) to see how it can get there. It can use HTTP
proxies, SOCKS proxies, maybe more (I don't have the message in front of
me).

The point I'm trying to make is that if you have a firewall/gateway with
multiple holes in it, it may be administratively easier to deny outbound
DNS queries from the desktop IPs and set up BIND as authoritative for
the *.yahoo.com zones. Having to muck with complicated packet filtering 
rules blocking a variety of ports and destination IP addresses isn't
always easy, even for an experienced admin. 

Plus it sucks up more time than someone might want to spend. It may not 
be necessary to block 100% of the chat programs, but to put some 
measures in place, and have an actual policy (*gasp*) prohibiting their 
use. MJR, the godfather of firewalling, is the first to point out that
you can't use technical solutions for social problems.

A quick google search shows that YM can actually use HTTP as well, so
it can use your HTTP proxy and talk to yahoo on port 80. That's pretty
tough to stop. You'll have to setup firewall rules and try to block
certain hostnames in your proxy config. 

I'd lean towards using BIND unless I had some kind of personal vendetta
against chat programs. It's just not worth it.
http://nscsysop.hypermart.net/no_chat.html describes some solutions very
well. It's for "BorderManager", but you could use the info for whatever
your firewalling solution (or problem) is.
-- 
Nate Campi | Terra Lycos DNS | WiReD UNIX Operations

The best answer when anybody asks you if you're any good with
explosives is to hold up two open hands and simply say "Ten". 



More information about the bind-users mailing list