Search Again: how to block AOL IM using DNS spoofing? From: Richard James Date: Wednesday, April 4, 2001 Time: 5:31:23 am Hello all, I want to block use of IM at my site and have discovered that IM is a sneaky beast. I have found references to using DNS to spoof requests for lookups of the host "login.oscar.aol.com" so that no valid answer is returned. Not being a DNS guru by any stretch, I am wondering if this is doable with QDNS? Below is a description of what one fellow has done. Any help is much appreciated. rj Query: login.oscar.aol.com. Query type: Any record  Answer: login.oscar.aol.com. 2583 A 152.163.242.28 login.oscar.aol.com. 2583 A 205.188.3.160 login.oscar.aol.com. 2583 A 205.188.3.176 login.oscar.aol.com. 2583 A 205.188.5.204 login.oscar.aol.com. 2583 A 205.188.5.208 login.oscar.aol.com. 2583 A 152.163.241.120 login.oscar.aol.com. 2583 A 152.163.241.128 login.oscar.aol.com. 2583 A 152.163.242.24 The goal was : Have my internal DNS server respond with bogus information (loopback address) to queries for specific DNS names that are not inside my zone of authority / domain. Use this as another layer of blocking IM & related services. Caveats were: - I wanted to do this with DNS configuration files - I did not want to have to maintain a full host table for the external domains, containing DNS entries that I wanted to resolve correctly - I did not want to have to maintain a separate SOA for each individual IP address that I was spoofing internally Accomplished this by configuring my DNS server to hold a secondary / slave DNS host table for the external domains, and then defining the entries I wanted to spoof in the host tables. I don't have to maintain DNS entries that I do want to resolve correctly, since by definition if my local DNS doesn't find an entry in the local secondary host table, it will follow the normal DNS out to the root servers on the Internet and down to the actual authoritative DNS servers for the external domains. For domains that only have one specific DNS name I want to spoof I defined a SOA for that DNS name only, since for a single DNS name its just as much administrative overhead to define a secondary / slave as it is to define a SOA, and its more aesthetically pleasing. Specifically, updated the following files (tested on Solaris 2.7 and Linux RedHat 6.1) : [other details snipped]

Messages In This Thread: how to block AOL IM using DNS spoofing? by Richard James on Apr 4, 2001 at 5:31:23 am Re: how to block AOL IM using DNS spoofing? by Men & Mice Support on Apr 4, 2001 at 2:01:49 pm Re: how to block AOL IM using DNS spoofing? by miles on Apr 5, 2001 at 2:34:12 pm Re: how to block AOL IM using DNS spoofing? by Men & Mice Support on Apr 5, 2001 at 3:06:04 pm Re: how to block AOL IM using DNS spoofing? by Richard James on Apr 5, 2001 at 3:44:51 pm Re: how to block AOL IM using DNS spoofing? by Global Homes Webmaster on Apr 5, 2001 at 3:54:46 pm Re: how to block AOL IM using DNS spoofing? by Men & Mice Support on Apr 5, 2001 at 4:06:32 pm Re: how to block AOL IM using DNS spoofing? by Aaron Lynch on Apr 5, 2001 at 4:10:19 pm Re: how to block AOL IM using DNS spoofing? by Global Homes Webmaster on Apr 5, 2001 at 4:24:04 pm