Just set up a regular DNS server with A master
(or slave) entry for msg.yahoo.com).
Because your server thinks that it is authoratative
for msg.yahoo.com it treats it like a permanent cache,
and will not do recursive searches -- but it will still
foreward searches for the parent domain.
It's just like the way that a machine that is master for
company.co.uk will respond directly to that domain
(and subdomains), but recurse for .co.uk. You can
claim to be authoratative at ANY level of the domain
chain from "." or ".com to sub.department.london.co.uk
You can similarly delegate at any level by including a 'ns'
record for that subdomain in a properly authoratative
server at any parent level.
DNS servers (most *sane* ones, anyways) don't
(or shouldn't) differentiate between delegation at
the top level and delegation at lower levels. I've got
no idea what they use now, but the root servers were
(probably) originally mostly just regular DNS servers that
happened to be authoratative for the '.' (root) domain.
It's quite possible that they're now running specialized
servers now, but that's mostly for efficiency reasons not
due to any protocol-based necessity.
All you have to do to change a BIND server into an
alternative root server is change the "." zone entry
from type "hint" to type "master" or "slave" and build
an appropriate database. The really hard part is
convincing the rest of the world to listen to you.
Similarly for .com .org or .co.uk, etc.
Bourque Daniel wrote:
OK, there is something I don't get here..
I have been using this technique for a longtime to block whole domain. How
can you only block msg.yahoo.com in your inside DNS server without blocking
all yahoo.com?
________________________________
De : Jay Archibald [mailto:jay.archibald@gmail.com]
Envoyé : 7 décembre 2005 13:37
À : David_Morales@onr.navy.mil; firewalls@securityfocus.com
Objet : RE: Blocking IM
An alternative solution to using expensive IDS or Web Filtering products is
BLACKHOLE DNS. Easy to setup and free if you have your own DNS server.
Here is some information for configuring blackhole DNS. It was originally
used to prevent malware, but it can be easily used to block instant
messengers as well. The idea is that your DNS server resolves the DNS name
used for the login process. You point the DNS alias to an internal IP
address on your network. If users can't login, they won't be using instant
messengers. It has worked for us.
http://www.bleedingsnort.com/blackhole-dns/
http://www.bleedingsnort.com/article.php?story=20050620215129947&query=black
hole
Here are the DNS names we use for blocking instant messengers:
AOL
login.oscar.aol.com
screenname.aol.com
aimexpress.aol.com
aim.aol.com
Yahoo
msg.yahoo.com
messenger.yahoo.com
MSN
messenger.hotmail.com
msgr.hotmail.com
webmessenger.msn.com
GOOGLE
talk.google.com
From: Morales, David (Seta) [mailto:David_Morales@onr.navy.mil]
Sent: Tuesday, December 06, 2005 12:51 PM
To: firewalls@securityfocus.com <mailto:firewalls@securityfocus.com>
Cc: Amiryar, Edris (Seta)
Subject: Blocking IM
We are blocking IM at the Firewall (juniper 5200) and through Surf-control
(Web Filtering product, but we are still able to connect to Yahoo IM. Has
anyone been able to do this successfully? And, does anyone have a list of
ports to block so we cannot get to this IM?
Thanks in advance,
David Morales
moraled@onr.navy.mil <mailto:moraled@onr.navy.mil>
--
Stephen Samuel +1(604)450-0066 samnospam@bcgreen.com
http://www.bcgreen.com/
Powerful committed communication. Transformation touching
the jewel within each person and bringing it to light.
