Implementing OpenDNS Content Filtering & Unblocking Yahoo Messenger on your Network

Few days back my Company Management asked me to implement some kind of Content Filtering mechanism which would restrict the uncontrolled Internet usage within the Office. There were also a whole set of requirements that should be met before Content Filtering could be implemented -
  1. It should be transparent & no Proxy setting changes should be required on the Browser end.
  2. It should be free, since the Company could not afford for a commercial application like Websense or e-Trust Secure Content Manager.
  3. It should be easily manageable & should be able to provide minimal set of reports.
What else could meet the above requirements other than OpenDNS. I would personally recommend all Internet Security Administrators in a SOHO & SMB setup to go for this product. It not only provides DNS services but also doubles up as a DNS-based Content Filtering application. It actually works on a principle commonly known as DNS Poisoning. Their DNSServers would resolve the true DNS IP's for Domains that are allowed by the Administrator & would provide the DNS IP of a blocked page in case of a restricted domain.

All you need to do is register for a FREE account on their site. Once registered, you need to manually add all the Global NATed IP's in your Network through which Internet is accessed. Then configure your Perimeter device to block DNS requests from your internal Network to all other Internet DNS Servers excluding the OpenDNS DNS Servers 208.67.222.222 & 208.67.220.220. Now configure the scope on your DHCP Server to assign the OpenDNS DNS Servers instead of any other DNS Server. Thats it, it so simple. Once your NATed IP gets verified on your OpenDNS account, you can configure all sorts of Category & Domain based Content Filtering.

Please have a look at some screenshots from OpenDNS site -

1. Administration Page:



2. Statistics Page:


3. Content Filtering Page:




Troubleshooting for Yahoo Messenger -

As per the requirements of one of the teams, it was requested to block requests to maximum number of sites excluding Chat & Instant Messaging. I thus checked all the categories listed under Content Filtering option excluding Chat & Instant messaging. To my surprise I found that Yahoo Messenger client application stopped working totally in spite of Chat & Instant messaging being unchecked. Temporarily I gave the team a workaround by using Meebo for web-based for web-based chat & IM.

Now by using netstat I tried tracing all the Servers Yahoo Messenger uses to establish complete commmunication for all its features like Voice, Video, Chat, File Transfer, etc. I found that the IP's changed for every new connection establishment & soon realised that it was impossible unblocking Yahoo Messenger using IP's. The answer lied in the DNS names of these Servers. I thus waited for few hours for some logging to happen & finally my Blocked Domains report gave the answer. Here are the bare minimum list of Servers Yahoo Messenger client software uses to establish complete connection for most of its feaures -
  1. address.yahoo.com - Probably used for Yahoo Address Book
  2. beta.sip.yahoo.com - Yahoo SIP Server. Probably used for Yahoo Voice Services
  3. filetransfer.msg.yahoo.com - Probably used for Yahoo File Transfer
  4. insider.msg.yahoo.com - Probably used for Yahoo Insider
  5. msg.mud.yahoo.com - Probably used for Yahoo Text Chat
  6. ns.yahoo.com
  7. re2.yahoo.com
  8. relay.voice.mud.yahoo.com - Probably used for Yahoo Voice Chat
  9. scsa.msg.yahoo.com, scsb.msg.yahoo.com, scsc.msg.yahoo.com, scsd.msg.yahoo.com
  10. stun.ycp.corp.yahoo.com - Yahoo STUN Server. Probably used for Yahoo Voice Services
  11. shttp.msg.yahoo.com
  12. http.chat.yahoo.com
  13. natkeepalive.voice.yahoo.com
I feel that this list of Servers should be exhaustive enough (or might be not :-) to unblock Yahoo Messenger through OpenDNS or any other transparent Proxy mechanism. This list might change again when Yahoo does so. As & when I find any new Servers, I would keep adding them & updating this list.

I guess this post should be helpful for people looking out to implement easy, safe, robust & FREE Content Filtering mechanism & also to unblock Yahoo Messenger through that.

2 comments:

Anonymous said...

To block Ocial Networks, IM's, see:

http://www.taringa.net/posts/ebooks-tutoriales/3716751/bloquear-messengers-IMs-y-Redes-Ociales.html

Baudhayan Lahiri said...

@anonymous - Thank you for sharing the info.

Readers - The link to the above comment is in Spanish. For English version use http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http%3A%2F%2Fwww.taringa.net%2Fposts%2Febooks-tutoriales%2F3716751%2Fbloquear-messengers-IMs-y-Redes-Ociales.html&sl=es&tl=en&history_state0=