Solved

Using DNS Server to block Websites

Posted on 2003-12-11
19
1,978 Views
Last Modified: 2010-03-19
I have a network and a Windows NT server with DNS...how can i block certain websites from being accessed by my users???
0
Comment
Question by:James Hilloya
  • 10
  • 9
19 Comments
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
You need a filtering firewall.  I don't knwo if you are using a "real" router or a SOHO-type router.  Some of teh SOHO routers allow you to define site IP address and host name blocking.  All the real routers allow this.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
there is no way to block the websites ip using my dns server???
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
Not really, to a determined user.  I think your idea is as follows.  When a PC on your network needs to contact a host, it looks up the IP address on your DNS server.  The DNS server has only your few internal addresses, so for internet stuff, it forwards the request on to ITS upstream DNS sever.  If you add zones for the "blocked" addresss directly to the internal DNS server, it will no longer forward them upstream, and you can put iin a dummy IP address for unwanted hosts.

Is that what you were thinking?

Then I hope your users know nothing about the internet.  Anyone who does will quickly figure out that all they need to do is add a HOSTS entry, or change to an external DNS server, inorder to bypass your "trip."

Plus, it is typcially EASIER to configure at the router.  If you have a real router, and someone on staff who understands it, you simply block the route.  If yuo have a Linksys, or other router that allows blocked host configuration, then you have it real easy, there is a scren in the config menu that allows you to just enter a list of blocked addresses.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
yes thats works good........so i to to DNS server manager and  add a new zone??if so what kinf of zone? and now do i do this on windows?? please help?
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
i mean how do i do this on windows nt server
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
You can merge in a zone file for the blocked domain with a start of authority record (so DNS will never refer). Or, you can use the DNS configuration panel, which I believe is a control panel applet under NT.

I have to apologize, I have not used the older NT DNS server, so I can't be more specific than that.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
can u tell me exacly the steps on how to do it using DNS on a windows 2000 dns server please?
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
Here's an article for it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172953&GSSNB=1

Under NT, I believe the management console is under startprograms-admin tools-DNS manager

Right-click your DNS server, choose NEW ZONE

I believe yuo want an SOA record, so teh server "thinks" it is the official server for the domain you want... assuming that you want to block all hosts in the domain (e.g., you want to block all of yahoo.com, not just mail.yahoo.com or www.yahoo.com).
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
If you want to block only a single sever, you can also define a zone at the server level, e.g., mail.yahoo.com is perfectly valid as a zone.  Just as com is a root zone, and yahoo.com, from the com perspective, is a subdomain AND a host name (http://yahoo.com does work, right?).  If you were to actually define a zone yahoo.com, and wanted to specify the host that is the same as the domain itself, you use @ for the host name.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
i right clicked on the dn server and choose "new Zone".....now is asking me what zone type i want primary or secondary?? what should i do?? then there are blanks to fill out for zone and server...i dotn know what do do the article you sent me is about how to install dns there is nothing there to blick a website...
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
Of course there is nothing about blocing a web site.  DNS is not designed to do that. You just want to fool your DNS so that it fools your users so teh site effectively does not exist.

Create it as a primary (which means your server thinks it is the King of that domain).  The zone will be the domain or host you wish to block.  Your DNS server will be the server.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
after that i get asked for a "zone name" and a "zone file" what should i put in there??...also if i choose primary zone i do not get the option to fill out for "zone" or "server" ..i only get those if i choose secondary"
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
That's odd, I don't know why it would not let you specify the zone name if you say primary.  You ALWAYS have to specify a zone name in the DNS system :(

If you take a look at the article I posted earlier, it includes a link to a whitepaper. That explains everything you will ever need to know about NT's DNS server.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
thanks for all of your help but is not working................do you know where and how i can download a proxy server?? i think i will set that up even thought ive never setup a proxy server before........
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
The only free one I recall ofhand is SpoonProxy.  There are a number of others, I think, which may be more full-featured.  Proxies require more work to set up... you need to close your router off so that most users can't get to the internet at all, then you set up the router so the proxy CAN get through, then you change all workstations to use the proxy.

I wtill think you'd be best off getting a cheap LinkSys or something similar.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
cheap linksys what?
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
LinkSys router.  Just plug it in between your broadband connection and whatever you are using now.  You might need about 14 minutes worth of changes to get it up and running, depending on your current LAN configuration, including blockingthe stes you don't like.

They start at about $60-$75.
0
 
LVL 1

Author Comment

by:James Hilloya
Comment Utility
i already ahve a router on my network....a cisco 1720 router
0
 
LVL 31

Accepted Solution

by:
qwaletee earned 20 total points
Comment Utility
OK, CISCO's are beyond my abilities, but most CISCO's can be configured to do the same thing.  You'll have to ask another expert how to configure the 1720 to block certain IP addresses from being reached.

The simplest way may be to define a false static route.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Suggested Solutions

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now