• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2003
  • Last Modified:

Using DNS Server to block Websites

I have a network and a Windows NT server with DNS...how can i block certain websites from being accessed by my users???
0
James Hilloya
Asked:
James Hilloya
  • 10
  • 9
1 Solution
 
qwaleteeCommented:
You need a filtering firewall.  I don't knwo if you are using a "real" router or a SOHO-type router.  Some of teh SOHO routers allow you to define site IP address and host name blocking.  All the real routers allow this.
0
 
James HilloyaAuthor Commented:
there is no way to block the websites ip using my dns server???
0
 
qwaleteeCommented:
Not really, to a determined user.  I think your idea is as follows.  When a PC on your network needs to contact a host, it looks up the IP address on your DNS server.  The DNS server has only your few internal addresses, so for internet stuff, it forwards the request on to ITS upstream DNS sever.  If you add zones for the "blocked" addresss directly to the internal DNS server, it will no longer forward them upstream, and you can put iin a dummy IP address for unwanted hosts.

Is that what you were thinking?

Then I hope your users know nothing about the internet.  Anyone who does will quickly figure out that all they need to do is add a HOSTS entry, or change to an external DNS server, inorder to bypass your "trip."

Plus, it is typcially EASIER to configure at the router.  If you have a real router, and someone on staff who understands it, you simply block the route.  If yuo have a Linksys, or other router that allows blocked host configuration, then you have it real easy, there is a scren in the config menu that allows you to just enter a list of blocked addresses.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
James HilloyaAuthor Commented:
yes thats works good........so i to to DNS server manager and  add a new zone??if so what kinf of zone? and now do i do this on windows?? please help?
0
 
James HilloyaAuthor Commented:
i mean how do i do this on windows nt server
0
 
qwaleteeCommented:
You can merge in a zone file for the blocked domain with a start of authority record (so DNS will never refer). Or, you can use the DNS configuration panel, which I believe is a control panel applet under NT.

I have to apologize, I have not used the older NT DNS server, so I can't be more specific than that.
0
 
James HilloyaAuthor Commented:
can u tell me exacly the steps on how to do it using DNS on a windows 2000 dns server please?
0
 
qwaleteeCommented:
Here's an article for it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172953&GSSNB=1

Under NT, I believe the management console is under startprograms-admin tools-DNS manager

Right-click your DNS server, choose NEW ZONE

I believe yuo want an SOA record, so teh server "thinks" it is the official server for the domain you want... assuming that you want to block all hosts in the domain (e.g., you want to block all of yahoo.com, not just mail.yahoo.com or www.yahoo.com).
0
 
qwaleteeCommented:
If you want to block only a single sever, you can also define a zone at the server level, e.g., mail.yahoo.com is perfectly valid as a zone.  Just as com is a root zone, and yahoo.com, from the com perspective, is a subdomain AND a host name (http://yahoo.com does work, right?).  If you were to actually define a zone yahoo.com, and wanted to specify the host that is the same as the domain itself, you use @ for the host name.
0
 
James HilloyaAuthor Commented:
i right clicked on the dn server and choose "new Zone".....now is asking me what zone type i want primary or secondary?? what should i do?? then there are blanks to fill out for zone and server...i dotn know what do do the article you sent me is about how to install dns there is nothing there to blick a website...
0
 
qwaleteeCommented:
Of course there is nothing about blocing a web site.  DNS is not designed to do that. You just want to fool your DNS so that it fools your users so teh site effectively does not exist.

Create it as a primary (which means your server thinks it is the King of that domain).  The zone will be the domain or host you wish to block.  Your DNS server will be the server.
0
 
James HilloyaAuthor Commented:
after that i get asked for a "zone name" and a "zone file" what should i put in there??...also if i choose primary zone i do not get the option to fill out for "zone" or "server" ..i only get those if i choose secondary"
0
 
qwaleteeCommented:
That's odd, I don't know why it would not let you specify the zone name if you say primary.  You ALWAYS have to specify a zone name in the DNS system :(

If you take a look at the article I posted earlier, it includes a link to a whitepaper. That explains everything you will ever need to know about NT's DNS server.
0
 
James HilloyaAuthor Commented:
thanks for all of your help but is not working................do you know where and how i can download a proxy server?? i think i will set that up even thought ive never setup a proxy server before........
0
 
qwaleteeCommented:
The only free one I recall ofhand is SpoonProxy.  There are a number of others, I think, which may be more full-featured.  Proxies require more work to set up... you need to close your router off so that most users can't get to the internet at all, then you set up the router so the proxy CAN get through, then you change all workstations to use the proxy.

I wtill think you'd be best off getting a cheap LinkSys or something similar.
0
 
James HilloyaAuthor Commented:
cheap linksys what?
0
 
qwaleteeCommented:
LinkSys router.  Just plug it in between your broadband connection and whatever you are using now.  You might need about 14 minutes worth of changes to get it up and running, depending on your current LAN configuration, including blockingthe stes you don't like.

They start at about $60-$75.
0
 
James HilloyaAuthor Commented:
i already ahve a router on my network....a cisco 1720 router
0
 
qwaleteeCommented:
OK, CISCO's are beyond my abilities, but most CISCO's can be configured to do the same thing.  You'll have to ask another expert how to configure the 1720 to block certain IP addresses from being reached.

The simplest way may be to define a false static route.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now