HiJack DNS - - - a little

  • Thread starter Thread starter Ken F
  • Start date Start date
K

Ken F

I am having difficulty adding a static address to my internal DNS server.
Perhaps someone can point to a resolution. My goal is to block AOL Instant
Messenger. I would like to create a record in my internal dns that resolves
the IM server at login.oscar.aol.com to a bogus address so that if a user
attempts to login to the IM server, it is not properly resolved.

TIA
 
Create a zone called "oscar.aol.com" and add an A record of "login" and
point that to 127.0.0.1. Problem is, you would need to do that for all
known IM servers for this to be effective and it does not stop someone from
putting that fqdn in their hosts file to get around your "block". Firewall
or proxy is probably a better solution.
--wjs
 
Thanks William,
My problem with the firewall solution is that the IP's for the AOL IM
servers are many and they change. My Firebox can be configured easily to
block the IP's, but it doesn't make sense for me to check those IP's every
few days. It also uses port 5190 then 4104 by default, but if it is blocked,
it uses random open ports. The users are not likely to figure out how to
edit, let alone know what a hosts file is. Since all my internal clients
point to my internal DNS, if I made the login.oscar.aol.com record bogus,
and then flag any 5190 traffic, I will be able to prevent most access, and
then attend to anyone that has bypassed it.

Any thoughts?
 
Not block by IP, but stateful block on dest port and packet content. The
source port could change (and does), but the dest port is probably fixed and
would need to NetMon to find which one (or ones) it is. Most mid to higher
end firewall software should allow more advance filtering based on packet
content and should have built in rules for IM.
--wjs
 
Thanks William,
My problem with the firewall solution is that the IP's for the AOL IM
servers are many and they change. My Firebox can be configured easily to
block the IP's, but it doesn't make sense for me to check those IP's every
few days. It also uses port 5190 then 4104 by default, but if it is blocked,
it uses random open ports. The users are not likely to figure out how to
edit, let alone know what a hosts file is. Since all my internal clients
point to my internal DNS, if I made the login.oscar.aol.com record bogus,
and then flag any 5190 traffic, I will be able to prevent most access, and
then attend to anyone that has bypassed it.

Any thoughts?
Click to expand...

I am really glad I use Citrix. I prohibit installation of any
software via policy. Windows 2000 Workstations are included in this
policy
 
Back
Top