Using DNS Server to block Websites

I have a network and a Windows NT server with can i block certain websites from being accessed by my users???
James HilloyaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need a filtering firewall.  I don't knwo if you are using a "real" router or a SOHO-type router.  Some of teh SOHO routers allow you to define site IP address and host name blocking.  All the real routers allow this.
James HilloyaAuthor Commented:
there is no way to block the websites ip using my dns server???
Not really, to a determined user.  I think your idea is as follows.  When a PC on your network needs to contact a host, it looks up the IP address on your DNS server.  The DNS server has only your few internal addresses, so for internet stuff, it forwards the request on to ITS upstream DNS sever.  If you add zones for the "blocked" addresss directly to the internal DNS server, it will no longer forward them upstream, and you can put iin a dummy IP address for unwanted hosts.

Is that what you were thinking?

Then I hope your users know nothing about the internet.  Anyone who does will quickly figure out that all they need to do is add a HOSTS entry, or change to an external DNS server, inorder to bypass your "trip."

Plus, it is typcially EASIER to configure at the router.  If you have a real router, and someone on staff who understands it, you simply block the route.  If yuo have a Linksys, or other router that allows blocked host configuration, then you have it real easy, there is a scren in the config menu that allows you to just enter a list of blocked addresses.
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

James HilloyaAuthor Commented:
yes thats works i to to DNS server manager and  add a new zone??if so what kinf of zone? and now do i do this on windows?? please help?
James HilloyaAuthor Commented:
i mean how do i do this on windows nt server
You can merge in a zone file for the blocked domain with a start of authority record (so DNS will never refer). Or, you can use the DNS configuration panel, which I believe is a control panel applet under NT.

I have to apologize, I have not used the older NT DNS server, so I can't be more specific than that.
James HilloyaAuthor Commented:
can u tell me exacly the steps on how to do it using DNS on a windows 2000 dns server please?
Here's an article for it:;EN-US;q172953&GSSNB=1

Under NT, I believe the management console is under startprograms-admin tools-DNS manager

Right-click your DNS server, choose NEW ZONE

I believe yuo want an SOA record, so teh server "thinks" it is the official server for the domain you want... assuming that you want to block all hosts in the domain (e.g., you want to block all of, not just or
If you want to block only a single sever, you can also define a zone at the server level, e.g., is perfectly valid as a zone.  Just as com is a root zone, and, from the com perspective, is a subdomain AND a host name ( does work, right?).  If you were to actually define a zone, and wanted to specify the host that is the same as the domain itself, you use @ for the host name.
James HilloyaAuthor Commented:
i right clicked on the dn server and choose "new Zone" is asking me what zone type i want primary or secondary?? what should i do?? then there are blanks to fill out for zone and server...i dotn know what do do the article you sent me is about how to install dns there is nothing there to blick a website...
Of course there is nothing about blocing a web site.  DNS is not designed to do that. You just want to fool your DNS so that it fools your users so teh site effectively does not exist.

Create it as a primary (which means your server thinks it is the King of that domain).  The zone will be the domain or host you wish to block.  Your DNS server will be the server.
James HilloyaAuthor Commented:
after that i get asked for a "zone name" and a "zone file" what should i put in there??...also if i choose primary zone i do not get the option to fill out for "zone" or "server" ..i only get those if i choose secondary"
That's odd, I don't know why it would not let you specify the zone name if you say primary.  You ALWAYS have to specify a zone name in the DNS system :(

If you take a look at the article I posted earlier, it includes a link to a whitepaper. That explains everything you will ever need to know about NT's DNS server.
James HilloyaAuthor Commented:
thanks for all of your help but is not you know where and how i can download a proxy server?? i think i will set that up even thought ive never setup a proxy server before........
The only free one I recall ofhand is SpoonProxy.  There are a number of others, I think, which may be more full-featured.  Proxies require more work to set up... you need to close your router off so that most users can't get to the internet at all, then you set up the router so the proxy CAN get through, then you change all workstations to use the proxy.

I wtill think you'd be best off getting a cheap LinkSys or something similar.
James HilloyaAuthor Commented:
cheap linksys what?
LinkSys router.  Just plug it in between your broadband connection and whatever you are using now.  You might need about 14 minutes worth of changes to get it up and running, depending on your current LAN configuration, including blockingthe stes you don't like.

They start at about $60-$75.
James HilloyaAuthor Commented:
i already ahve a router on my network....a cisco 1720 router
OK, CISCO's are beyond my abilities, but most CISCO's can be configured to do the same thing.  You'll have to ask another expert how to configure the 1720 to block certain IP addresses from being reached.

The simplest way may be to define a false static route.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.