Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Blocking IM via DNS

Re: Blocking IM via DNS

From: raf <raf_at_raf.org>
Date: Wed, 31 Oct 2001 17:42:41 +1100

robert_david_graham wrote:

> You are asking the general question "Can I use my DNS server as a firewall?"
>
> The general answer is "yes" -- as long as your purpose is to discourage the
> "average" user. For most people, DNS is some sort of routing protocol that
> routes names to IP addresses. For most people in the world, when DNS goes
> down, then the Internet goes down. Knowledgeable users will simply use the
> raw IP address (/etc/hosts) or change their DNS server. Therefore, you
> should think of it as something that "discourages" certain behaviors rather
> than "blocks" access. (Remember: really knowledgeable users can get around
> any possible filtering -- such as routing AIM through a SOCKS connection
> back to their home machine).
>
> A similar item you might want to discourage with a "DNS firewall" is pr0n.
> If you browse your DNS cache you'll probably find a lot of cached access to
> porn sites. You can therefore discourage access to these sites by creating a
> static mapping to one of your internal machines. This is cool for a couple
> of reasons. First, you are not "blocking" access, only discouraging it, so
> you can avoid being called "big brother". Second, by redirecting to a
> web-server, you can create appropriate warning messages. A nice one would be
> "The network operations people can see your activities. If you continue to
> access such sites, we might be forced to notify your manager."
>
> You may also find this this can save bandwidth and increase privacy. For
> example, add an entry for "*.doubleclick.net" that points somewhere else.
> This will prevent user's machines from downloading advertisement graphics as
> well as prevent tracking of user's activities by DoubleClick through
> webbugs. (Yes, you can use "*" as a DNS name in BIND and Microsoft DNS
> servers). I have about 30 such entries on my personal DNS server to block
> advertisements.

junkbuster is a much more powerful way of doing this.

raf

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 31 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]