restrict dns lookup for for a domain

sunlinux · 08-10-2007, 04:07 AM

Can we restrict dns lookup for a particular domain such as chatenabled.mail.google.com(used for google chat) with iptables or somehow ?

I want to block chat using gmail.com ( gmail suggested the method to block using above method)

jlinkels · 08-10-2007, 06:04 AM

I think if you install your own DNS server (bind) you can return a fake address whenever gmail.com is requested. Since users w/o administrative right cannot change their network settings they cannot change the DNS server.

Blocking the IP of gmail is next to impossible as these large sites often use a range of IP addresses.

jlinkels

acid_kewpie · 08-10-2007, 06:45 AM

Quote:

Originally Posted by jlinkels

Blocking the IP of gmail is next to impossible as these large sites often use a range of IP addresses.

well that's the point of the question isn't it? stop the dns query that gets one of the range in the first place. not foolproof of course, but what you're asking fairly simple and totally possible. if you use the string module in iptables and also match on port 53, then you can easily drop any packet being passed through the router on port 53 which contains the string relevant to the domain you want...

Code:

iptables -I FORWARD -p udp --dport 53 -m string --string "chatenabled.mail.google.com" -j DROP

i guess this would work, not tested though... again not the best solution, but a start...