DNS Question: How to make a public web site resolve to localhost

I have a Windows Server 2003 Standard running DNS now.  This is my DC as well and is one of two DNS servers that handles DNS queries for users on our domain.  The other one is a DC that also is running Windows Server 2003 Standard.  Both are SP1 and fully patched.

What I want to do is to put another layer in the mix of blocking IM traffic on our network.  Right now I have done all I can at the firewall level.  I want to setup the DNS server so if request for popular IM servers are made it resolves them back to the localhost (loopback) and never hits the network.

Does that make sense?  For instance, if a user fires up their IM software and it starts trying to communicate to it's authentication server at "my.stupid.im.com" address, I want the DNS server to resolve that back to the localhost at

Can someone give me step-by-step on how to do this?  Assume I'm ignorant with configuring DNS (trust me I am).

Thanks in advance!
Who is Participating?
Chris DentPowerShell DeveloperCommented:

But that's just it - there's no need to create the aol.com zone for the im record for the purposes of blocking. You ignore the hostname and treat the entire thing as a domain.

So the Domain Name is im.aol.com, the only host record is @ (or "(same as parent folder)"). In that case when you request im.aol.com you're getting a host record back which has been bound to the domain name itself.

In Windows DNS that gives you:

DNS Server
       | --- Forward Lookup Zones
                             | --- im.aol.com

And inside that zone are just the default SOA and NS records and (same as parent folder) Host(A)

Hope that's a little more clear this time.

brwwigginsIT ManagerCommented:
You would have a real problem doing this on DNS. You would have to configure the server so that you are "authoritative" (in the clients eyes at least) for the IM domains.

For example, if you want to stop im.aol.com you would have to configure a DNS server the pretends to be authoritative for aol.com and therefore would have to host all other records for aol.com to maintain services. It would be a nightmare to try to find/update the DNS records for this domain.

Other option would be to modify the hosts file on the clients if possible.
dmcoopAuthor Commented:
Specifically what I am trying to kill with DNS is login.oscar.aol.com.

So brwwiggins are you saying that if I make my DNS server authoritative for login.oscar.aol.com that I have to do it for the entire aol.com domain?

I'm also wanting to kill each of the following:


Now obivously I don't want to block the entire yahoo.com, aol.com, and hotmail.com domains.  icq.com would be ok to kill the whole thing.  We do allow users to check their personal email at yahoo, aol, and hotmail.  We just want to get the IM stuff under control.

It really isn't a huge problem for us but one will try to use it every couple of months.  We have a good usage policy and generally speaking our users abide by it.  Sometimes newbies will try to install IM on their PC and that is what I am trying to do here . . . I just want to kill the servers that authenticate them.

Any more ideas?
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Chris DentPowerShell DeveloperCommented:

Hey guys,

It's not true that you'd have to make a server authoritative for aol.com to answer a request for im.aol.com.

You could make your server authoritative for im.aol.com just as easily, simply add a zone called that and make the Host Record for the Zone (either listed as @ or "(same as parent folder)") point to

The step-by-step version is:

Open DNS Manager
Expand Forward Lookup Zones
Add a New Forward Lookup Zone called "im.aol.com" (The zone can be stored as Primary, or Primary AD Integrated)
Add a New Host Record to the zone, leave the Host field blank and add the IP Address


i have added primary zones for other domains and it works but it will never look to the real DNS zone ever again for other hosts

you can also add these entries to the hosts file on each machine. you can create master hosts file and easily distribute to users machines
Chris DentPowerShell DeveloperCommented:

Just remember you're not adding a zone for an entire domain like aol.com, you're adding a domain for the sub-domain im.aol.com (example only of course). Requests for aol.com will still go outside the network because your server won't be claiming authority for aol.com.

The principle is sound and entirely practical.

Chris is right; you'd be creating an interal authoritative record for an hostname, not a domain name.

login.oscar.aol.com is the login server for aol, you divert it, and all aol logins will not be processed.

oscar.aol.com being blocked should also block *.oscar.aol.com if you define it that way.

You could have also simply used a different approach by actually setting the hostname and/or IP address of login.oscar.aol.com to disallow connection.

You could have CNAMED login.oscar.aol.com to a drop box inside your network and added scripts or logging or anything else you wanted to do to check on aol login attempts.

It's always nice when a user tries to login to aol at work and he gets only "Access Denied: no such user at aol.com."  In fact, you can send them any message you want when refusing their request and you could be logging each attempt.
brwwigginsIT ManagerCommented:
The example i was trying to give was im.aol.com being the dns name with im being hostname and aol.com being the domain name. In that case how do you make an authoritative record for the hostname without making your DNS server think it is authoritative for the parent domain?

If he wants to block the hostname cs in the domain yahoo.com then the DNS server would have to serve requests for yahoo.com.

Everyone is correct that you don't have to be authoritative for the entire aol.com to block items from the subdomain oscar.aol.com, but what about the situation when there is no subdomain?

This is what I was trying to get across...
brwwigginsIT ManagerCommented:
ok, I apologize. I see your point now.

Thanks for clariying and I'll shut up now :)
Chris DentPowerShell DeveloperCommented:

Well as long as it makes sense :)

dmcoopAuthor Commented:
Chris I'll be trying your suggestion today and will post back.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.