Solved

Using DNS Server to block Websites

Posted on 2003-12-11
19
1,981 Views
Last Modified: 2010-03-19
I have a network and a Windows NT server with DNS...how can i block certain websites from being accessed by my users???
0
Comment
Question by:James Hilloya
  • 10
  • 9
19 Comments
 
LVL 31

Expert Comment

by:qwaletee
ID: 9920835
You need a filtering firewall.  I don't knwo if you are using a "real" router or a SOHO-type router.  Some of teh SOHO routers allow you to define site IP address and host name blocking.  All the real routers allow this.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9920856
there is no way to block the websites ip using my dns server???
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9920939
Not really, to a determined user.  I think your idea is as follows.  When a PC on your network needs to contact a host, it looks up the IP address on your DNS server.  The DNS server has only your few internal addresses, so for internet stuff, it forwards the request on to ITS upstream DNS sever.  If you add zones for the "blocked" addresss directly to the internal DNS server, it will no longer forward them upstream, and you can put iin a dummy IP address for unwanted hosts.

Is that what you were thinking?

Then I hope your users know nothing about the internet.  Anyone who does will quickly figure out that all they need to do is add a HOSTS entry, or change to an external DNS server, inorder to bypass your "trip."

Plus, it is typcially EASIER to configure at the router.  If you have a real router, and someone on staff who understands it, you simply block the route.  If yuo have a Linksys, or other router that allows blocked host configuration, then you have it real easy, there is a scren in the config menu that allows you to just enter a list of blocked addresses.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9921154
yes thats works good........so i to to DNS server manager and  add a new zone??if so what kinf of zone? and now do i do this on windows?? please help?
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9921354
i mean how do i do this on windows nt server
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9921623
You can merge in a zone file for the blocked domain with a start of authority record (so DNS will never refer). Or, you can use the DNS configuration panel, which I believe is a control panel applet under NT.

I have to apologize, I have not used the older NT DNS server, so I can't be more specific than that.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9921683
can u tell me exacly the steps on how to do it using DNS on a windows 2000 dns server please?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9924826
Here's an article for it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172953&GSSNB=1

Under NT, I believe the management console is under startprograms-admin tools-DNS manager

Right-click your DNS server, choose NEW ZONE

I believe yuo want an SOA record, so teh server "thinks" it is the official server for the domain you want... assuming that you want to block all hosts in the domain (e.g., you want to block all of yahoo.com, not just mail.yahoo.com or www.yahoo.com).
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9924907
If you want to block only a single sever, you can also define a zone at the server level, e.g., mail.yahoo.com is perfectly valid as a zone.  Just as com is a root zone, and yahoo.com, from the com perspective, is a subdomain AND a host name (http://yahoo.com does work, right?).  If you were to actually define a zone yahoo.com, and wanted to specify the host that is the same as the domain itself, you use @ for the host name.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:James Hilloya
ID: 9928109
i right clicked on the dn server and choose "new Zone".....now is asking me what zone type i want primary or secondary?? what should i do?? then there are blanks to fill out for zone and server...i dotn know what do do the article you sent me is about how to install dns there is nothing there to blick a website...
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9931042
Of course there is nothing about blocing a web site.  DNS is not designed to do that. You just want to fool your DNS so that it fools your users so teh site effectively does not exist.

Create it as a primary (which means your server thinks it is the King of that domain).  The zone will be the domain or host you wish to block.  Your DNS server will be the server.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9931090
after that i get asked for a "zone name" and a "zone file" what should i put in there??...also if i choose primary zone i do not get the option to fill out for "zone" or "server" ..i only get those if i choose secondary"
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9936176
That's odd, I don't know why it would not let you specify the zone name if you say primary.  You ALWAYS have to specify a zone name in the DNS system :(

If you take a look at the article I posted earlier, it includes a link to a whitepaper. That explains everything you will ever need to know about NT's DNS server.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9949657
thanks for all of your help but is not working................do you know where and how i can download a proxy server?? i think i will set that up even thought ive never setup a proxy server before........
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9950976
The only free one I recall ofhand is SpoonProxy.  There are a number of others, I think, which may be more full-featured.  Proxies require more work to set up... you need to close your router off so that most users can't get to the internet at all, then you set up the router so the proxy CAN get through, then you change all workstations to use the proxy.

I wtill think you'd be best off getting a cheap LinkSys or something similar.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9950992
cheap linksys what?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9951024
LinkSys router.  Just plug it in between your broadband connection and whatever you are using now.  You might need about 14 minutes worth of changes to get it up and running, depending on your current LAN configuration, including blockingthe stes you don't like.

They start at about $60-$75.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9951246
i already ahve a router on my network....a cisco 1720 router
0
 
LVL 31

Accepted Solution

by:
qwaletee earned 20 total points
ID: 9954163
OK, CISCO's are beyond my abilities, but most CISCO's can be configured to do the same thing.  You'll have to ask another expert how to configure the 1720 to block certain IP addresses from being reached.

The simplest way may be to define a false static route.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 76
Question regarding adding in a new domain controller 5 57
logging buffered 8 39
Network connections wi-fi configuration issue 6 20
Let’s list some of the technologies that enable smooth teleworking. 
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now