Ok, got this one knocked out. Thanks to those who replied with information
([EMAIL PROTECTED], Daniel Morone, Max Asato among others).
The goal was : Have my internal DNS server respond with bogus information
(loopback address) to queries for specific DNS names that are not inside my
zone of authority / domain. Use this as another layer of blocking IM &
related services.
Caveats were:
- I wanted to do this with DNS configuration files
- I did not want to have to maintain a full host table for the external
domains, containing DNS entries that I wanted to resolve correctly
- I did not want to have to maintain a separate SOA for each individual IP
address that I was spoofing internally
Accomplished this by configuring my DNS server to hold a secondary / slave
DNS host table for the external domains, and then defining the entries I
wanted to spoof in the host tables. I don't have to maintain DNS entries
that I do want to resolve correctly, since by definition if my local DNS
doesn't find an entry in the local secondary host table, it will follow the
normal DNS out to the root servers on the Internet and down to the actual
authoritative DNS servers for the external domains.
For domains that only have one specific DNS name I want to spoof I defined a
SOA for that DNS name only, since for a single DNS name its just as much
administrative overhead to define a secondary / slave as it is to define a
SOA, and its more aesthetically pleasing.
Specifically, updated the following files (tested on Solaris 2.7 and Linux
RedHat 6.1) :
----- begin /etc/named.conf snippet - added the following text -----
zone "login.oscar.aol.com" {
type master;
file "aolhosts.cache";
};
zone "icq.mirabilis.com" {
type master;
file "mirabilishosts.cache";
};
zone "napster.com" {
type slave;
file "napsterhosts.cache";
masters {
127.0.0.1;
};
};
zone "stp.scour.com" {
type master;
file "scourcomhosts.cache";
};
zone "stp.scour.net" {
type master;
file "scournethosts.cache";
};
zone "yahoo.com" {
type slave;
file "yahoohosts.cache";
masters {
127.0.0.1;
};
};
zone "www.icqproxy.com" {
type master;
file "icqproxyhosts.cache";
};
----- end /etc/named.conf snippet -----
----- begin /var/named/aolhosts.cache file - created in whole as follows
-----
; login.oscar.aol.com
;
; Bogus SOA file created so that we can spoof a specific DNS query.
login.oscar.aol.com. IN SOA login.oscar.aol.com.
admin.wdcrobdns01.ed.gov. ( 4294967295 0 0 0 0 )
IN NS wdcrobdns01.ed.gov.
$ORIGIN login.oscar.aol.com.
; AOL Instant Messenger looks up login.oscar.aol.com to get login servers.
IN A 127.0.0.1
----- end /var/named/aolhosts.cache file -----
----- begin /var/named/mirabilishosts.cache file - created in whole as
follows -----
; icq.mirabilis.com
;
; Bogus SOA file created so that we can spoof a specific DNS query.
icq.mirabilis.com. IN SOA icq.mirabilis.com.
admin.wdcrobdns01.ed.gov. ( 4294967295 0 0 0 0 )
IN NS wdcrobdns01.ed.gov.
$ORIGIN icq.mirabilis.com.
; ICQ looks up icq.mirabilis.com to get login servers.
IN A 127.0.0.1
----- end /var/named/mirabilishosts.cache file -----
----- begin /var/named/napsterhosts.cache file - created in whole as follows
-----
; napster.com
;
; Bogus secondary cache file created so that we can spool the DNS on queries
; to specific IP addresses.
; Napster client can refer to "napster.com" for login server info.
napster.com. IN A 127.0.0.1
$ORIGIN napster.com.
; Napster client looks up server.napster.com to get servers to connect to.
server IN A 127.0.0.1
----- end /var/named/napsterhosts.cache file -----
----- begin /var/named/scourcomhosts.cache file - created in whole as
follows -----
; stp.scour.com
;
; Bogus SOA file created so that we can spoof a specific DNS query.
stp.scour.com. IN SOA stp.scour.com.
admin.wdcrobdns01.ed.gov. ( 4294967295 0 0 0 0 )
IN NS wdcrobdns01.ed.gov.
$ORIGIN stp.scour.com.
; Scour Exchange has to connect to stp.scour.[com, net]
IN A 127.0.0.1
----- end /var/named/scourcomhosts.cache file -----
----- begin /var/named/scournethosts.cache file - created in whole as
follows -----
; stp.scour.net
;
; Bogus SOA file created so that we can spoof a specific DNS query.
stp.scour.net. IN SOA stp.scour.net.
admin.wdcrobdns01.ed.gov. ( 4294967295 0 0 0 0 )
IN NS wdcrobdns01.ed.gov.
$ORIGIN stp.scour.net.
; Scour Exchange has to connect to stp.scour.[com, net]
IN A 127.0.0.1
----- end /var/named/scourcomhosts.cache file -----
----- begin /var/named/yahoohosts.cache file - created in whole as follows
-----
; yahoo.com
;
; Bogus secondary cache file created so that we can spool the DNS on queries
; to specific IP addresses.
$ORIGIN yahoo.com.
; Yahoo! Instant Messenger client looks up cs[1-7].yahoo.com to
; get servers to connect to.
cs1 IN A 127.0.0.1
cs2 IN A 127.0.0.1
cs3 IN A 127.0.0.1
cs4 IN A 127.0.0.1
cs5 IN A 127.0.0.1
cs6 IN A 127.0.0.1
cs7 IN A 127.0.0.1
; Also cs[1-9].msg.yahoo.com. Some of the cs[1-7].yahoo.com are
; aliases for these.
cs1.msg IN A 127.0.0.1
cs2.msg IN A 127.0.0.1
cs3.msg IN A 127.0.0.1
cs4.msg IN A 127.0.0.1
cs5.msg IN A 127.0.0.1
cs6.msg IN A 127.0.0.1
cs7.msg IN A 127.0.0.1
cs8.msg IN A 127.0.0.1
cs9.msg IN A 127.0.0.1
; Yahoo! Instant Messenger pagers
pager IN A 127.0.0.1
----- end /var/named/yahoohosts.cache file -----
----- begin /var/named/icqproxyhosts.cache file - created in whole as
follows -----
; www.icqproxy.com
;
; Bogus SOA file created so that we can spoof a specific DNS query.
www.icqproxy.com. IN SOA www.icqproxy.com.
admin.wdcrobdns01.ed
.gov. ( 4294967295 0 0 0 0 )
IN NS wdcrobdns01.ed.gov.
$ORIGIN www.icqproxy.com.
; proxy server for ICQ to use HTTP tunnelling
IN A 127.0.0.1
----- end /var/named/icqproxyhosts.cache file -----
This makes the complete (so far) steps for blocking these services:
1) Block the common service ports that the various IM & related clients
use. This will prevent standard installations from working, as well as
providing us with a method (if it should be desired) to implement finding
new installations of the clients on workstations (via reports generated off
of the firewall logs, identifying attempts to use the standard service
ports, etc). Block on any -> any -> <services>.
This list of services is:
AOL (TCP 5190)
ICQ (TCP 4000)
irc1 (TCP 6660-6670)
irc2 (TCP 7000)
irc-serv (TCP 520)
MSN_Messenger (TCP 1863)
Napster (TCP 4444, 5555, 6666, 6699, 7777, 8875, 8888)
Spinner (TCP 6970)
yahoo_messenger (TCP 5050)
Users can get around this by using the port scanning features of the instant
messenger clients.
2) Configure internal DNS so that clients cannot retrieve the IP
addresses of the login servers. This will keep the clients from connecting
to the login servers, regardless of what IP address or addresses the login
servers are assigned.
The current list of DNS names and implementation is listed above.
Users can get around this by :
a) using a local hosts file on their workstation to specify the IP
addresses
b) using the hard IP addresses of the login servers
c) using a proxy server outside of the firewall to connect to the login
servers
d) waiting for versions or configurations of the clients that access
login servers with new DNS names that we have not blocked
3) Configure internal DNS so that clients cannot retrieve the IP
addresses of known proxy servers. This will keep the clients from
connecting to the proxy servers, regardless of what IP address or addresses
the names are assigned.
Users can get around this by :
a) using a local hosts file on their workstation to identify the IP
addresses
b) using the hard IP addresses of the proxy servers
c) using a new proxy server that we haven't yet identified
4) Configure the firewall to block the IP addresses of the login
servers and of known proxy servers. This will keep people from accessing
the login servers even if they use the workarounds noted in (2a, b, c) and
(3a, b). Block on any -> <all destinations> -> any.
The current list is:
AOL-IM-LoginServers (205.188.7.168, 205.188.7.176, 205.188.5.208,
205.188.7.164) (based on DNS resolution of login.oscar.aol.com)
ICQ-Servers (205.188.153.112, 205.188.153.115, 205.188.179.34,
205.188.179.37, 205.188.179.42, 205.188.153.98, 205.188.153.102,
205.188.153.106, 205.188.153.109) (based on DNS resolution of
icq.mirabilis.com)
Napster_Net (208.178.163.56/29, 208.178.175.128/29, 208.49.239.240/28,
208.49.228.0/24, 208.184.216.0/24) (see www.phoneboy.com FAQ "How do I block
access to Napster?")
ScourExchange (216.52.208.102)
SpinnerServers (205.188.244.36, 205.188.245.121) (g2mhl3-qfe0.spinner.com,
spinlbl.spinner.com)
YahooInstantMessenger (204.71.200.54, 204.71.200.55, 204.71.200.56,
204.71.200.57, 204.71.177.35, 204.71.202.59, 204.71.202.58, 204.71.202.73,
204.71.202.74) (see www.phonebody.com FAQ "How do I enable or block Yahoo
Messenger")
www.icqproxy.com (216.122.100.172)
Users can get around this by finding new proxy servers.
5) Make sure that you are using a clean-up rule, and make your Internet
access rule as restrictive as can be for your requirements. In other words,
follow the rule that you should deny everything except that which you
explicitly require. A sufficiently tight Internet access rule (ie only
allow SMTP, FTP, HTTP, HTTPS, Gopher, etc) would mean you wouldn't have to
worry about blocking the default service ports used by these clients.
6) Set a regular schedule of quick penetration testing, wherein new
login server & proxy server DNS names and IP addresses are identified,
service ports used by clients are reviewed and identified, etc.
7) Set a regular (automated) schedule of reviewing firewall log reports
to identify new client installs, and to identify suspicious traffic that
would lead us to identify new login servers and proxy servers.
8) LOCK DOWN THE WORKSTATIONS TO PREVENT INSTALLATION OF UNAUTHORIZED
APPLICATIONS.
I think it is important to note that this is a losing battle. Things are
quickly reaching the point where it will be impossible to 100% block these
services at the firewall; locking down the workstation configurations is a
must.
I realize that this info and this much detail is slightly off-topic for this
list, but thought it was worth posting given the number of requests for this
info that are posted. If anybody has any comments, criticisms, whatever,
feel free to e-mail me. If there is a more solid methodology for blocking
these services, please let me know. If DNS experts out there can address
the potential impact of creating a bogus secondary / cache on my server (my
testing didn't show any), please let me know.
Greg S.
-----Original Message-----
From: amanda [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 8:54 AM
To: Scheidel, Greg
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] Does anyone know how to block Napster?
What are the AOL services that you are trying to block?
If you just want to block all access to login.oscar.aol.com then a simple IP
filter will do. Try something like this:
Deny 205.188/16 except ports 25 and 80
What you want to do is impossible with an
off-the-shelf name server, but since you
can have the source to Bind, you are free
to do it yourself.
Amanda
On Wed, 12 Jul 2000, Scheidel, Greg wrote:
> This is workable for napster.com (which does not provide any other
services
> this site requires access to), but for AOL, Yahoo, etc creating a new zone
> is unmanageable. I still need AOL's (as an example) web servers and
e-mail
> servers to resolve properly. If I create a new zone, this means that I
have
> to maintain a complete AOL host table, either manually or by scripting to
> pull down their entire host table and then updating the entries I want to
> resolve to loopback.
>
> Isn't it possible to configure the DNS so that my internal DNS will
respond
> to queries for the specific DNS names (login.oscar.aol.com, for example)
but
> still pass other queries for the zone (aol.com, for example) on as normal?
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
