DNS on W2k with W2k and WinNT clients

Stiofan
Stiofan used Ask the Experts™
on
Hi there everyone,


I'm trying to restrict the access of 5 PCs on my LAN to a handful of URLs.

So, I set up the DNS service on one of my Windows 2000 servers. Then I added the forward lookup zones of the handful of sites I want the clients to be able to access.

Then I configured the network properties of the client machines to use the Windows server as the DNS server.

One of the client machines is a Windows 2000 Professional and it works fine - I can only those sites specified in the DNS server.

The other 4 are Windows NT 4 workstations - but these machines someone can access ANY URL.

Does anyone have and suggestions?


Thanks in advance,

Stephen

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
mikecrIT Architect/Technology Delivery Manager

Commented:
You need to remove the root hints from the DNS server. If the DNS server can't resolve the name local to it, it uses it's root hints to resolve it. How the Windows 2K Pro machine is working, I'm not sure about because he should be able to go anywhere also.

Author

Commented:
Thanks mikecr,

But I'd already removed the root hints.
deroodeSystems Administrator

Commented:
This sounds like a very unreliable solution to me. Why not use an ordinary firewall / proxy solution and block everyting else there?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Deroode,

I did consider this but I have no proxy server and no experience of administering a firewall.We're using dhcp too, which means(or does it?!) that I can't restrict URL access to certain ip addresses on my lan(as they are constantly changed by dhcp).




IT Architect/Technology Delivery Manager
Commented:
Is the server able to resolve names to the internet without a problem? You could remove the DNS address and publish a host file to each machine with the mappings also and this would circumvent this.

Commented:

As deroode has said, this solution might not be the most reliable as a user could by-pass DNS if they knew the ip address of the site they wanted to access.

To test your DNS server, trying running nslookup from the command prompt on one or more of your workstations to determine what addresses can and cannot be resolved from your server.
Gabriel OrozcoSolution Architect

Commented:
consider passing all the traffic between those servers and the rest of your lan trough a firewall/proxy. this can be done using any old 386+ you have and a linux solution. there are some very simple and good solutions out there, like coyotelinux which fits in a single floppy and with two or three lines you have all set.

http://www.coyotelinux.com/

and this is only one of the solutions you can use. but this is a classical solution in linux, while in NT is not so simple.
Sounds like your solution will work. I am sure that you checked the config on the machines that still seem to have full access.
Run ipconfig to verify. Check for lnhost files and wins.

Commented:
If you just make your server a root server (create a "." domain, and build the structure under that), it disables all ability to forward out requests (in fact I think it grays-out the forwarder tab and the root-hints tab).  Then just make sure your clients are only pointing to this box for DNS and ensure that their hosts files are empty.  

Author

Commented:
Hi guys,

Thanks for all the advice. Excellent suggestions. I eventually went with mikecr because it was the simplest solution for someone with rudimentary IT experience like myself.

I much appreciated all the input - keep up the great work guys.

Stiofan
mikecrIT Architect/Technology Delivery Manager

Commented:
Thanks, and if there is anything esle that we can do for you, please stop back.

Good luck!
Michael

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial