[NTLUG:Discuss] Domain Hijacking / interception / filtering /redirection

Cameron, Thomas Thomas.Cameron at bankofamerica.com
Fri Jan 16 11:45:01 CST 2004 

> -----Original Message-----
> From: Richard Geoffrion [mailto:ntlug at rain4us.net]
> Sent: Friday, January 16, 2004 11:25 AM
> To: discuss at ntlug.org
> Subject: [NTLUG:Discuss] Domain Hijacking / interception / filtering
> /redirection
> 
> 
> I don't know what to call it yet, but I am preparing to implement some
> function on a network where certain domain names will resolve 
> to a local ip
> address/ webserver.  I'm tired of cleaning up after Win32 
> users who don't
> know how to click 'NO'.  So, major advertisers, the gator 
> networks, spyware
> sites, and drive by browser infectors (xupiter) will now 
> resolve to a local
> webserver that will display a "this page blocked by corporate policy"
> banner.
> 
> I'm toying with the idea of adding javascript to the page to 
> automatically
> close the page if the page is popup...but I'll have to make 
> sure it's an
> unwanted popup and not a yahoo search result with an unwanted 
> ad!  HAHAHA!
> 
> So I'm converting over from djbdns to BIND on this 
> internal-only DNS server.
> Are there any 'gotchas' I'll need to look out for?  Does 
> anyone know of
> zone files that exist that already do this?  Any other 
> comments are welcome.
> 
> --
> Richard

I did something very similar for a client before I started working for Bank of America.  They wanted to block instant messenger traffic.  I was going to do it with firewall rules but it was almost impossible.  Many of the IM clients use port 80 for their traffic. The servers they contacted were Akamai servers so there were thousands of servers they could go to.  

Instead I set up bogus domains for oscar.aol.com and messenger.yahoo.com and so on.  It worked perfectly.  I did the same thing you are thinking of, redirected all that traffic to an internal web server with the corporate AUP on it.  

I don't mind saying that I was persona non grata with the users after I implemented that change!  But the suits were happy, so it stuck.

The only gotcha I ran into was that many of the IM clients went to foo1.oscar.aol.com or foo2.oscar.aol.com and so on, so I wound up just poisoning the whole oscar.aol.com domain.  You will probably wind up making a host entry on your DNS server for what is actually a sub domain in public DNS.  In other words, any traffic that is destined for any of the various *.something.whatever.com domains will actually go to a host you defined as something.whatever.com.

I just fired up ethereal and launched every IM client I could to see what domains they were contacting, then poisoned DNS for those zones.

--
Thomas Cameron, RHCE, CNE, MCSE, MCT
Assistant Vice President
Linux Design and Engineering
Bank of America
(972) 997-9641

The opinions expressed in this message are mine alone and do not necessarily reflect the opinions of my employer, Bank of America.

More information about the Discuss mailing list