Question

How to block facebook on the network level using a DNS Zone.

Asked by: CJ27


  I'm trying to block facebook from my network. I have an cisco asa firewall and have created rules and blocked over 40 IP addresses that belong to facebook, but still no luck. I came accross another qustion similar and someone suggested just creating a dns zone for facebook and leaving it blank. Could someone give me specifice instructions on creating a dns zone for this. I'm very interested in this method. Any other ideas are welcome, but 3rd party software is not an options and I am not very good with cisco firewalls is why I thought this might be a better option.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-17 at 10:40:24ID24740733
Topics

Domain Name Service (DNS)

,

Cisco PIX Firewall

Participating Experts
2
Points
500
Comments
40

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. DNS Zones
    This could be complicated or dead straight forward. A 2000 domain has a supernet configuration of 192.168.4.0 - 192.168.5.255 mask of 255.255.254.0. The domain has a DNS zone of abc.co.uk which is Active Directory Integrated. It has reverse zones of 0.168.192.in-addr.ar...
  2. DNS zone
    i have a dns server that has a reverse lookup zone on it, and a load of entries in there. why would this be??
  3. DNS Zones
    Hello All, Easy question, just want to be 100% sure. We are running a windows 2000 domain called "allied.loc" there's a DNS zone for allied.loc. We just purchased a new domain allied.edu which i need to setup an internal zone for so internal employees can navigate...
  4. DNS zones
    Please can any one let me know if I need to add the following zones to the ns0.xxx.com and ns1.xxx.com from requesting the zones from primary dns ns0.clientxxx.com ? Zones as, xxx1.co.uk xxx2.co.uk xxx3.co.uk

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: RPPreacherPosted on 2009-09-17 at 10:42:32ID: 25358902

What DNS are you using internally?

 

by: JEREMYNOPosted on 2009-09-17 at 10:47:20ID: 25358939

Easy USE OPENDNS.COM for free  and you will have also free statistics of domain where users been all is there www.opendns.com

 

by: CJ27Posted on 2009-09-17 at 10:50:13ID: 25358968


  I would like to do this without third party software. I'm just using a windows 2003 server as a dns server.

 

by: JEREMYNOPosted on 2009-09-17 at 10:56:36ID: 25359019

you dont need 3party software you just set your DNS to resend dns requests manual is on the page if you dont want statistic you dont need to register there see the video iam using it and its well its no a proxy where your data is going its only DNS

 

by: RPPreacherPosted on 2009-09-17 at 10:57:05ID: 25359023

Open DNS MMC
Right click on Forward Lookup Zones
New Zone
Primary Zone
To all DNS servers
zone name facebook.com



 

by: RPPreacherPosted on 2009-09-17 at 10:58:04ID: 25359036

When someone attempts to connect to facebook.com, the DNS will not resolve doing above.

 

by: CJ27Posted on 2009-09-17 at 11:15:05ID: 25359189


  Open DNS MMC
Right click on Forward Lookup Zones
New Zone
Primary Zone
To all DNS servers
zone name facebook.com


I just did this on my DNS server and it did not work. I do have an alternate DNS server in my domain and maybe that's what it is. Do I just need to wait on it to replicate or do I need to do it on the other server?

 

by: RPPreacherPosted on 2009-09-17 at 11:19:02ID: 25359227

Wait for replication.

Also, local PCs will have a DNS cache that clears out on reboot, so until they reboot, it will not be 100%.

 

by: RPPreacherPosted on 2009-09-17 at 11:19:29ID: 25359234

or clear the local cache to test.

ipconfig /flushdns

 

by: CJ27Posted on 2009-09-17 at 12:22:47ID: 25359906


  So far this method has not worked. Could I be missing something or is there anything else I need to do to this zone in order for it to work?

 

by: JEREMYNOPosted on 2009-09-17 at 12:33:57ID: 25360044

Hmm there is one thing have you set your server as only DNS becouse if you set more than one or dond do the same on both it will not work

 

by: RPPreacherPosted on 2009-09-17 at 12:35:03ID: 25360060

True.

Your workstations need to ONLY point to your internal DNS server for DNS.

 

by: CJ27Posted on 2009-09-17 at 12:42:12ID: 25360136


  All workstations point to a primary DNS server and a Secondary DNS server for emergency situations and I cannot change this in order to block a web site. Are ya'll saying that this method will not work for me if it replicates to both servers?

 

by: RPPreacherPosted on 2009-09-17 at 12:44:24ID: 25360158

It will if both DNS servers are in sync and both have the facebook.com zone.

 

by: RPPreacherPosted on 2009-09-17 at 12:49:52ID: 25360231

Something is still resolving facebook.com to an IP.

from a command line, enter

nslookup
set q=soa
facebook.com

and post the output

 

by: CJ27Posted on 2009-09-17 at 12:50:19ID: 25360237


 They are both in sync and I have looked on both and they have replicated but it still is not working? What else can I look at?

 

by: RPPreacherPosted on 2009-09-17 at 12:52:04ID: 25360257

Something is still resolving facebook.com to an IP.

from a command line, enter

nslookup
set q=soa
facebook.com

and post the output

 

by: CJ27Posted on 2009-09-17 at 12:54:09ID: 25360273


 here it is.

 

by: RPPreacherPosted on 2009-09-17 at 12:56:20ID: 25360300

No.

nslookup <-- press enter
set q=soa <-- press enter
facebook.com <--- press enter.

 

by: CJ27Posted on 2009-09-17 at 13:00:15ID: 25360341

Here it is

 

by: RPPreacherPosted on 2009-09-17 at 13:03:59ID: 25360382

Are you sure you created a proper DNS zone for facebook.com?

If so, try clearing the cache on the DNS server.

Open DNS MMC on BOTH DNS servers.

Right click server name, select clear cache.  Clear cache on testing workstation.

 

by: CJ27Posted on 2009-09-17 at 13:04:06ID: 25360385


 when I created the facebook zone by default are 4 records.
Name:                                            Type:                                         Data

same as parent folder                  SOA and name server               Server names

 Does any of this need to be deleted?

 

by: RPPreacherPosted on 2009-09-17 at 13:06:18ID: 25360416

Those are all defaults.  They are fine.

 

by: RPPreacherPosted on 2009-09-17 at 13:07:39ID: 25360431

I assume that you are testing this by pinging www.facebook.com after clearing the cache and not testing it by using a browser.

If you are testing using a browser, I assume that you cleared the browser cache as well.

I guess I am making a lot of assumptions.

 

by: CJ27Posted on 2009-09-17 at 13:08:10ID: 25360439


Are you sure you created a proper DNS zone for facebook.com?

No, but I did it exactly like this:


Open DNS MMC
Right click on Forward Lookup Zones
New Zone
Primary Zone
To all DNS servers
zone name facebook.com


 

by: CJ27Posted on 2009-09-17 at 13:22:51ID: 25360609


I am testing it using a browser after clearing the cache and flushing the dns.  When I first started this assignment my intent was to block it in our cisco asa firewall, after blocking all blocks of Ip addresses listed in Arin database and a few more that I recieved when I would ping facebook.com. It did not work so I decided this would be a much easer solution. Now when I ping it times out most of the time because it resolves it to an IP address that I have already blocked in the firewall.

 

by: RPPreacherPosted on 2009-09-17 at 13:26:42ID: 25360656

Let's see if you DNS is working at all.  All an A record to the facebook.com zone.

Some dumb name like smileyface.facebook.com = 66.0.0.1

Then ping smileyface.facebook.com and see if you get 66.0.0.1

Try pinging it from the DNS server (remote to DNS server and test).

 

by: CJ27Posted on 2009-09-17 at 13:29:22ID: 25360683


 Once I did this:

Open DNS MMC
Right click on Forward Lookup Zones
New Zone
Primary Zone
To all DNS servers
zone name facebook.com

I did nothing else. Everything was left at default. Is there anything else I need to do in the properties or somewhere else to finish creating this zone properly or is that it?

 

by: RPPreacherPosted on 2009-09-17 at 13:33:41ID: 25360729

That should be it.

 

by: CJ27Posted on 2009-09-17 at 13:36:07ID: 25360764


  It says the ping request could not find host. please check the name and try again.  I did not flush the dns on the server before I tried it though. Would that matter?

 

by: RPPreacherPosted on 2009-09-17 at 13:36:59ID: 25360779

Did you ping it from the DNS server or from a workstation?

 

by: CJ27Posted on 2009-09-17 at 13:37:22ID: 25360784


  It may be harder instead of easier but if it would be easier, I would like to just redirect facebook.com to my company web site.

 

by: CJ27Posted on 2009-09-17 at 13:37:55ID: 25360787

I pinged it from the DNS server.

 

by: RPPreacherPosted on 2009-09-17 at 13:38:39ID: 25360794

It should be easy.  I've done this 1,000,000 times.  I'm just trying to figure out why this simple, simple, simple thing is not working in your environment.

 

by: RPPreacherPosted on 2009-09-17 at 13:40:52ID: 25360820

If you added the A record and your DNS server cannot find the same A record, something is hosed with your DNS.  You could try rebooting your DNS server and see if that magically fixes it but I'm stumped.  Can't figure out why doing this is so hard...

 

by: CJ27Posted on 2009-09-17 at 13:44:31ID: 25360865


  I can try that but I can't do that till after hours Tommorrow night.  I'm not sure what's going on either. I thought it woulld be easy too.

 

by: CJ27Posted on 2009-09-18 at 06:47:14ID: 25365870


   Stupid, Stupid, mistake by me.  It was a typo in the zone name!!    RPPreacher your solution was right on! I will award you points, but first can you tell me how to make this forward to my company web site. Do I need to create an A record or an alias or something?

 

by: RPPreacherPosted on 2009-09-18 at 07:07:23ID: 25366099

Create an A record for WWW.  Point it to your internal web site.

 

by: CJ27Posted on 2009-09-18 at 07:13:36ID: 25366154


  In the a record  new host box I have:
Name (which is blank but I can type something) is this where my company domain name goes?

Also at the bottom I have a place where I can put an IP address, is that my company web site IP address?

Also there are 2 check boxes at the bottom. Do either need to be checked?

 

by: RPPreacherPosted on 2009-09-18 at 07:14:26ID: 25366158

Name

www

IP = company IP address

No on check boxes.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...