Blocking IM via DNS
Fri, 31 Aug 2001 16:39:13 -0400
Well there are a couple of ways to do this
1) block port 5190, however this no longer works, if it fails on 5190 it
tries every other available port
2) put your users on a proxy and block login.oscar.aol.com
3) create an outbound access-list on your wan interfaces or make it inbound
on you ethernet
access-list deny ip any host 126.96.36.199
access-list deny ip any host 188.8.131.52
access-list deny ip any host 184.108.40.206
access-list deny ip any host 220.127.116.11
access-list deny ip any host 18.104.22.168
access-list deny ip any host 22.214.171.124
access-list deny ip any host 126.96.36.199
access-list deny ip any host 188.8.131.52
4) router there traffic to null0
ip route 184.108.40.206 255.255.255.255 null0
ip route 220.127.116.11 255.255.255.255 null0
ip route 18.104.22.168 255.255.255.255 null0
ip route 22.214.171.124 255.255.255.255 null0
ip route 126.96.36.199 255.255.255.255 null0
ip route 188.8.131.52 255.255.255.255 null0
ip route 184.108.40.206 255.255.255.255 null0
ip route 220.127.116.11 255.255.255.255 null0
If this where me I would go with the access-list, and I would put it on our
firewall, this why I could use but no one else, they don't call it
privileged mode for nothing ;-)
-- Jeff d'Ambly
Stay the patient course.
Of little worth is your ire.
The network is up.
From: Simeon Johnston [mailto:email@example.com]
Sent: Thursday, August 30, 2001 12:45 PM
To: IPTables; ipchains; firewall wizards; FOCUS-LINUX
Subject: Blocking IM via DNS
I have asked this before and have blocked AIM and others but am
wondering if there is an easier way?
In iptables (I think you can do this) I could block by URL. But that is
another rule and DNS lookup that the FW has to do.
Why not change those addresses on the internal DNS to point to something
bogus? Like login.oscar.aol.com for AIM would point to a bogus internal
Would this work? That way the ports wouldn't matter. I would just need
to find out what URL the IM is looking for.
Is this possible? IIRC all the IM need to login to some server. So
blocking that server would be fairly easy w/ a false DNS lookup. That
way I don't have to continually lookup the new ips of the URL and
blocking the ports (which is impossible for some IM) would be unnecessary.
And one of them uses the nntp protocols for communication. We use news
servers so I can't block that.
BTW, we have complete control over the internal DNS and lookups go to