[fw-wiz] Blocking IM via DNS

[raf]

robert_david_graham wrote:

> You are asking the general question "Can I use my DNS server as a firewall?"
> 
> The general answer is "yes" -- as long as your purpose is to discourage the
> "average" user. For most people, DNS is some sort of routing protocol that
> routes names to IP addresses. For most people in the world, when DNS goes
> down, then the Internet goes down. Knowledgeable users will simply use the
> raw IP address (/etc/hosts) or change their DNS server. Therefore, you
> should think of it as something that "discourages" certain behaviors rather
> than "blocks" access. (Remember: really knowledgeable users can get around
> any possible filtering -- such as routing AIM through a SOCKS connection
> back to their home machine).
> 
> A similar item you might want to discourage with a "DNS firewall" is pr0n.
> If you browse your DNS cache you'll probably find a lot of cached access to
> porn sites. You can therefore discourage access to these sites by creating a
> static mapping to one of your internal machines. This is cool for a couple
> of reasons. First, you are not "blocking" access, only discouraging it, so
> you can avoid being called "big brother". Second, by redirecting to a
> web-server, you can create appropriate warning messages. A nice one would be
> "The network operations people can see your activities. If you continue to
> access such sites, we might be forced to notify your manager."
> 
> You may also find this this can save bandwidth and increase privacy. For
> example, add an entry for "*.doubleclick.net" that points somewhere else.
> This will prevent user's machines from downloading advertisement graphics as
> well as prevent tracking of user's activities by DoubleClick through
> webbugs. (Yes, you can use "*" as a DNS name in BIND and Microsoft DNS
> servers). I have about 30 such entries on my personal DNS server to block
> advertisements.

junkbuster is a much more powerful way of doing this.

raf