Solved

Using DNS Server to block Websites

Posted on 2003-12-11
19
1,984 Views
Last Modified: 2010-03-19
I have a network and a Windows NT server with DNS...how can i block certain websites from being accessed by my users???
0
Comment
Question by:James Hilloya
  • 10
  • 9
19 Comments
 
LVL 31

Expert Comment

by:qwaletee
ID: 9920835
You need a filtering firewall.  I don't knwo if you are using a "real" router or a SOHO-type router.  Some of teh SOHO routers allow you to define site IP address and host name blocking.  All the real routers allow this.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9920856
there is no way to block the websites ip using my dns server???
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9920939
Not really, to a determined user.  I think your idea is as follows.  When a PC on your network needs to contact a host, it looks up the IP address on your DNS server.  The DNS server has only your few internal addresses, so for internet stuff, it forwards the request on to ITS upstream DNS sever.  If you add zones for the "blocked" addresss directly to the internal DNS server, it will no longer forward them upstream, and you can put iin a dummy IP address for unwanted hosts.

Is that what you were thinking?

Then I hope your users know nothing about the internet.  Anyone who does will quickly figure out that all they need to do is add a HOSTS entry, or change to an external DNS server, inorder to bypass your "trip."

Plus, it is typcially EASIER to configure at the router.  If you have a real router, and someone on staff who understands it, you simply block the route.  If yuo have a Linksys, or other router that allows blocked host configuration, then you have it real easy, there is a scren in the config menu that allows you to just enter a list of blocked addresses.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 1

Author Comment

by:James Hilloya
ID: 9921154
yes thats works good........so i to to DNS server manager and  add a new zone??if so what kinf of zone? and now do i do this on windows?? please help?
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9921354
i mean how do i do this on windows nt server
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9921623
You can merge in a zone file for the blocked domain with a start of authority record (so DNS will never refer). Or, you can use the DNS configuration panel, which I believe is a control panel applet under NT.

I have to apologize, I have not used the older NT DNS server, so I can't be more specific than that.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9921683
can u tell me exacly the steps on how to do it using DNS on a windows 2000 dns server please?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9924826
Here's an article for it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q172953&GSSNB=1

Under NT, I believe the management console is under startprograms-admin tools-DNS manager

Right-click your DNS server, choose NEW ZONE

I believe yuo want an SOA record, so teh server "thinks" it is the official server for the domain you want... assuming that you want to block all hosts in the domain (e.g., you want to block all of yahoo.com, not just mail.yahoo.com or www.yahoo.com).
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9924907
If you want to block only a single sever, you can also define a zone at the server level, e.g., mail.yahoo.com is perfectly valid as a zone.  Just as com is a root zone, and yahoo.com, from the com perspective, is a subdomain AND a host name (http://yahoo.com does work, right?).  If you were to actually define a zone yahoo.com, and wanted to specify the host that is the same as the domain itself, you use @ for the host name.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9928109
i right clicked on the dn server and choose "new Zone".....now is asking me what zone type i want primary or secondary?? what should i do?? then there are blanks to fill out for zone and server...i dotn know what do do the article you sent me is about how to install dns there is nothing there to blick a website...
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9931042
Of course there is nothing about blocing a web site.  DNS is not designed to do that. You just want to fool your DNS so that it fools your users so teh site effectively does not exist.

Create it as a primary (which means your server thinks it is the King of that domain).  The zone will be the domain or host you wish to block.  Your DNS server will be the server.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9931090
after that i get asked for a "zone name" and a "zone file" what should i put in there??...also if i choose primary zone i do not get the option to fill out for "zone" or "server" ..i only get those if i choose secondary"
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9936176
That's odd, I don't know why it would not let you specify the zone name if you say primary.  You ALWAYS have to specify a zone name in the DNS system :(

If you take a look at the article I posted earlier, it includes a link to a whitepaper. That explains everything you will ever need to know about NT's DNS server.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9949657
thanks for all of your help but is not working................do you know where and how i can download a proxy server?? i think i will set that up even thought ive never setup a proxy server before........
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9950976
The only free one I recall ofhand is SpoonProxy.  There are a number of others, I think, which may be more full-featured.  Proxies require more work to set up... you need to close your router off so that most users can't get to the internet at all, then you set up the router so the proxy CAN get through, then you change all workstations to use the proxy.

I wtill think you'd be best off getting a cheap LinkSys or something similar.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9950992
cheap linksys what?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9951024
LinkSys router.  Just plug it in between your broadband connection and whatever you are using now.  You might need about 14 minutes worth of changes to get it up and running, depending on your current LAN configuration, including blockingthe stes you don't like.

They start at about $60-$75.
0
 
LVL 1

Author Comment

by:James Hilloya
ID: 9951246
i already ahve a router on my network....a cisco 1720 router
0
 
LVL 31

Accepted Solution

by:
qwaletee earned 20 total points
ID: 9954163
OK, CISCO's are beyond my abilities, but most CISCO's can be configured to do the same thing.  You'll have to ask another expert how to configure the 1720 to block certain IP addresses from being reached.

The simplest way may be to define a false static route.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now