That is a really dumb way to block IM. It will not work if you have
technical people on the inside. All they have to do is define the ip on
there local machine. What you want to use is something like iptables,
on your firewall! Then just block all request to the offending
machines.

I don't have technical people on the inside. I don't
think it's a dumb way either. Using the firewall is
impossible. Most IM clients have a default port, a
secondary port, and if those fail, they pick random
ports. How would I go about stopping that at the
firewall without completely shutting down the internet
connection? Using DNS to stop IM should work very
well. Unless the client is hardcoded to use IP, it
will make a DNS request to find the login server. If
the DNS request returns a bogus IP, it never goes out,
no matter what port it connects on.

Who said any thing about ports? Maybe you should read up on iptables.

You could plant a host file on the client and have the system check it
for DNS first.

Problem is that the user might be smart enough to simply change DNS
servers or to set the system to check the local one last.

Another thing to try would be hosts.deny / hosts.allow

Aside from that you might consider examining your /etc/named.conf and
decide which file referenced therein refers to your internal net.

Mine can be found in /var/named/ and since my internal domain is
microverse.net the file is /var/named/microverse.net.db but I probably
shouldn't and/or couldn't use this file to specify anything outside my
internal net.

You could create an additional db file from scratch and add it to your
named.conf so that that it wont get sent to the forwarder.

You might also consider a fake forwarder in named.conf

You should use DNS as it was meant to be used - that is by using it with only correct information. Trying to obtain security by misconfiguring something is ill-conceived and (as most said) easily worked around.

Your best bet is to black the IM port with IPTables (takes about five minutes to set up if you don't know how) or monitor who is using the IM ports and clamp down on the user.

Still another option would be to disallow the application on the desktop either with profiles and roles or by walking around and manually removing it. You could even enable remote administration on your internal network and remove all the IM software from your desk.

But misconfiguring DNS is the sign of a bad administrator and a worse boss if he'll let you get away with it.

I absolutly AGREE with blocking the port on the
firewall...BUT, most big name IM clients (Yahoo, AOL,
ICQ) will choose a (often times random) port to make
the connection. I would LOVE to put the rule on the
firewall, but I can't block all outgoing traffic just
to stop IM.

This is from the AOL FAQ:

Q: Why am I unable to connect to AIM through my company LAN? In the past, I made the connection with no problem.
A: Ask your system administrator to update login.oscar.aol.com on the LAN's DNS table. Also, ask the administrator to make sure that Port 5190 is open for outbound TCP connections. (Other ports can also be used. If your administrator decides on a different port, then you can specify it in Connection preferences.)


As you can see there is a clearly defined port which it seeks to make connection. Unless AOL is monitoring every port on its server for AOL connections, I can't see how random ports are used.

So a rule to deny all traffic to login.oscar.aol.com sounds like a good place
to start. Who cares what port they are using, also I see no reason they would
need to connect to this server other then chat so it should not result in any
loss of outside connections.

I've done a little research searching through online
newsgroups, as well as the website of our firewall
appliance (hence iptables is out of the question).
I'm not making it up! Do a search on
groups.google.com for "aim port block" and read a few
of the messages on the first result page.

Blocking AIM with IPChains:

ipchains -A input -b --sport 5190 -j DENY
ipchains -A input -b -s login.oscar.aol.com -j DENY

*** NOTE: This blocks ICQ as well! ***

Blocking AIM with IPTables:

iptables -A FORWARD --dport 5190 -j REJECT
iptables -A FORWARD -d login.oscar.aol.com -j REJECT

Information on blocking via other firewalls:
If you would like to block AOL Instant Messenger with another firewall,
then you have to block 2 things: the port on which AIM operates, port
5190, and/or the server to which the majority of all AIM clients
connect: login.oscar.aol.com.

I realize how simple it is to do with iptables and
ipchains. I've used them both. You're right, the
limitation is the firewall (that is able to do very
complicated tasks, just not block on domain names).
If it were up to me, the bosses would create a firm
policy with drastic consequences. I'm using what I
have to work with. (It's a typical topdog/businessman
type of request...do it fast without costing money)

In a situation such as this (posted on Yahoo Messenger FAQ)
If you are trying to connect from behind a "smart" firewall which does not use proxy servers, Yahoo! Messenger will automatically search the firewall for an open port, and, if it finds one, use that to connect. If it's not able to find an open port, ask your System Administrator to open port 5050 to our Pager servers, cs1.yahoo.com, cs2.yahoo.com and cs3.yahoo.com.

Then I would block traffic to and from cs1,cs2,and cs3 and have done with it.

So you have a linux box running DNS and that's the only way you can finangle stopping traffic? Pray tell how you stop other illicit traffic (p2p stuff, trojan activity, mudders, etc)?

Good luck, man, I think your bosses need to go to security school. :-) That's management though, eh?

If I were you, I would try to convince them of the error of their ways.
Failing that, I would focus on the client desktop. Go right to the root of the problem.

Or go buy zone alarm and use that! Maybe that can buck up the fifty bucks or so?

To be honest, I was looking for a way to not have to
constantly manage this. Blocking a domain name would
be best, but I don't have that option. So I'm going
to block the default ports and monitor that to see how
rampant this is. We don't have a large user base, and
even fewer that would care to use p2p (IM, mp3, etc)
type stuff. I, like many people, try the easiest, yet
effective manner first. I'm not worried about tech
savvy users. We don't have them. Most call the
windows desktop the "icon screen". So, thanks for
everyones help.

Why can't one just add login.oscar.aol.com and/or it's associated IP
address to /etc/hosts.deny? That should eliminate any possibility of
communication with that host shouldn't it?

use your firewall and your authority