IPSEC with Wildcards or a better way to block yahoo messenger.

I'm attempting to block serveral diffrent instant messenger progs. using IPSEC policies.  Most have gone down without too much trouble.  The exception is Yahoo Messenger.  I've found at least 50 diffrent ip address for logon servers and no matter how many I block it just finds a new one.  It's drivin me nuts.  They all have a common part of the host name *.msg.dcn.yahoo.com and they all appear to come from the same few IP ranges.  They are 216.136.x.x, 216.136.x.x and 246.155.x.x.  Short of entering everyone of these IP's is there a way to either block everything from *.msg.dcn.yahoo.com or by the IP ranges.  Thanks in advance.

Who is Participating?
bbaoIT ConsultantCommented:
> Option a would be best but if it's not too much trouble could you do a and b?

A) on your W2K3 server, goto Control Panel | Add or remove programs | Add/remove windows components | Networking Services, click Details, check DNS and DHCP to install DNS and DHCP server. run DNS wizard to setup your DNS server with default settings. add an A type record for "*.msg.yahoo.com" with IP, add your ISP's DNS server addresses in the dialogue box for DNS Properties | Forwarder. run DHCP wizard to deploy your DHCP with the DHCP option for DNS pointing to your internal DNS server.

B) suppose IP block 216.115.107.* is for Y! messenger, you may add following command to block these IPs on your W2K3 server:

route -p add mask x.x.x.x

where x.x.x.x is a nonexistent IP on your LOCAL subnet.

hope it helps,
mrladerAuthor Commented:
Sorry forgot to list OS.  We run 2003 Server Enterprise Edition.

One thing you could do is try software that is meant to perform this job like this one: http://blockyahoo.port5.com/

This info below was "borrowed" from the www.phoneboy.com website:


You will need to block or allow access via port 5050 to the following IP addresses:

Yahoo Instant Messengers:

Yahoo_1 =
Yahoo_2 =
Yahoo_3 =
Yahoo_4 =
Yahoo_5 =
Yahoo_6 =
Yahoo_7 =
Yahoo_8 =
Yahoo_9 =
Yahoo_10 =
Yahoo_11 =
Yahoo_12 =
Yahoo_13 =
Yahoo_14 =
Yahoo_15 = es21.msg.yahoo.com
Yahoo_16 = es22.msg.yahoo.com
Yahoo_17 = es23.msg.yahoo.com
Yahoo_18 = es24.msg.yahoo.com
Yahoo_19 = es25.msg.yahoo.com
Yahoo_20 = es26.msg.yahoo.com
Yahoo_21 = es27.msg.yahoo.com
Yahoo_22 = es28.msg.yahoo.com
Yahoo_23 = es29.msg.yahoo.com
Yahoo_24 = es30.msg.yahoo.com
Yahoo_25 = es31.msg.yahoo.com
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

mrladerAuthor Commented:
I had thought of terminatorx but this is for a small church school and they don't want to spend money on anything right now.  Blocking port 5050 doesn't work because yahoo just finds another port to use.  It will even use port 80 if need be.

Well you could block port 80 to these as well (better yet, all ports), but they could always add more servers and cause you to have to modify your settings again.  That's the problem you run into when you try to block the program at the network layer versus the application layer.

If you want to go the low $$$ route then I think you're stuck with the manual way of finding server IPs and blocking them.

It might be worth checking on that app I mentioned to see if they will give a break to a church.  Some companies offer discounts for schools and churches.

bbaoIT ConsultantCommented:
hi mrlader,

you have 3 ways (levels) to block those IPs used by Y! messenger, i am here to list all the levels, the corresponding methods, easibilities and the suitable conditions:

A) name resolving level: to block specific domains and the subordinates, easy, if you can point your clients' DNS settings to your W2K3 based DNS server.

B) IP routing level: to mask the specific IP blocks by changing routing table, very easy if all the related IPs can be grouped in a few IP blocks.

C) TCP port level: to use IPSec policies, difficult, you know why. :)

certainly, all the above methods use the built-in features of W2K3 server, free of charge as what you expect. :)

please tell me which one you one (of course A or B, not C) you prefer, i will tell you the detailed steps.

mrladerAuthor Commented:
Option a would be best but if it's not too much trouble could you do a and b?  I would be most greatful for that info.  Thank you so so much.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.