Website Blocking

Hi Ruscal

Can i intergrate this within my SBS server, i have one server doing almost everything AD, exchange etc with exception to an oracle dbase on a linux box. i'll take a look.

Paul

also we already have forward lookups to our public ralls-group.com dns server, which resolves our emails and such, if i point it to another dns will it not mess this up.

Yes, at the office I'm at now I use OpenDNS as the forwarding servers in the Active Directory DNS server on site.  All of the client machines connect to this local DNS server (as all good AD machines do) and ask it for the lookup information.  It then asks OpenDNS for the right answer (as opposed to my ISPs DNS).

I use Server 2003 Standard and not SBS, but the setup should be very close.  From the DNS control applet, right click on the server and select properties.  Select the "Forwarders" tab in the window that appears.  In the top box, you should have "All other DNS domains" highlighted.  In the lower box (the one for IP addresses) make sure that the 2 OpenDNS IPs are listed (208.67.222.222 & 208.67.220.220)  You can see this in the picture i'm attaching.

Then head over to OpenDNS.com and setup your account.  If you need to know what your external IP address is (OpenDNS needs to know it so it can tell which server requests come from you and apply your specific rules to those requests) then head over to http://www.ipchicken.com

Any more questions and I'd be happy to help.
opendns.JPG

in that same window i pictured above, you would click "New..." next to the "DNS domain:" box and enter the domain that you want a custom forwarder for (in this case "ralls-group.com").  Then when it is highlighted in the top (DNS domain) window, put the IPs of its DNS server(s) in the lower IP window.

What that will do is say "If the request is for anything at *.ralls-group.com then go to the DNS at these IPs.  For all other DNS domains, go to the OpenDNS servers at these 2 IPs"

While I edited it out of the picture above (for security and confidentiality and all) there are actually 3 other forwarding domains setup on that server ;-)

at the moment i have two dns as All other DNS 212.87.64 10/11 so can can remove these and put in the Open DNS instead,  and this wont effect our ralls-group.com isp and those emails going to and through.

Been kinda chucked in the deep end looking after this network.

Thanks

ok i see now, it makes sense to me, i'll give it a go and let you know...

Thanks

really and truly, you wouldn't even have to make a new domain specific forwarder for ralls-group.com  OpenDNS would forward it for you (as long as all of the IPs are internet legal, and you're using an internal legal IP for the DNS server, so I'm assuming that its all public side and not private addressing on the mail server)

But, you can still make the conditional forwarder if you like, it won't hurt a thing.

its all done, i've added the open dns address and specified for ralls-group, we have internet legal address and private address behind our nat router. i've tried blocking a site but it doesnt seem to be working, i'm wondering could it still be using the ralls-group dns as look up.?

first is to make sure your clients are referencing your server.  second, is to clear the dns cache on your clients and server  (they will time out after a while, but if you want to force the issue you can.)

On the server, right click on the server icon in the DNS control applet again and this time select clear cache.  On a client machine just type "ipconfig /flushdns" from a command prompt.  The information retrieved from DNS is stored locally for x amount of time (normally at least a day) to keep from overloading DNS servers.  This will tell your server that next request needs to be fresh info from OpenDNS and your clients that it needs to be fresh from the server.

Also, when you sign into opendns, in the dashboard under networks, does it say (your current ip) next to the ip of your network.  (see attached pic for an example of where i'm looking) you may need to actually browse to ipchicken or opendns from the server itself to see the correct ip listed.

and finally, how much time did you give it.  when you create a new network it tells you how long it will take for those settings to replicate to all of their servers (something like 15-30 min) before your settings first start working.  but trust me, when they kick in and  it blocks myspace, you'll know. ;-)
opendns2.JPG

i've done all of  that and now think its a case of hanging on till tomo letting it all kick in, been a long day. i'll let you know tomorow probably me rushing things,  and thanks again for the help, can i be nosey and ask about your network/infrastructure/systems?

Paul

I understand the long days, I've been having one too.  And you're welcome to ask, can I pick which of my clients I talk about while answering?  Seriously though, for the most part I work in windows AD shops using cisco network hardware and dell clients (mainly dell servers too, with a few exceptions), and Polycom telecom equipment.  (When I get the chance to setup from the ground up I try to keep 'em all the alike enough that I'm not spreading my memory too thin, but the business' needs always come first.)

But if you want specifics ask and I'll do my best to answer.

just checked and still not blocking site, all my settings check out so thinks just going to have to wait.

Still know joy, i've checked everything , just trying to think if i'm missing something?

my post above, with the screen cap of the opendns dashboard... when you browse to the dashboard from the server, do you see "(your current ip)" by the network you created for the office?

yep and in the settings it has **.**.**.66/32

ok, well heres a test for it then.  From one of your client machines enter the following statement at a command prompt:

nslookup www.gogle.com

Thats an intentionally mis-spelled Google (we're gonna try with only one 'o' to see if OpenDNS is really whos being asked and how they're responding)

yes its using opendns to lookup an address, hmmm.

And, just one more check... what does this site say?
http://welcome.opendns.com/

Also (and this has literally changed in the last 24 hours, I just had to re-enable my content filtering) have you gone into the dashboard today, and checked what setting you are using under "Settings" and "Content Filtering" for your office network.  Again, I just realized that when they updated (last night I guess) it had disabled my content filters.

all my filters are in tact and i have the "Welcome to OpenDNS" spash screen....

Settings
dns.JPG

Ahh, the minimal filter setting only blocks domains that are known as phishing sites.  You should up (or customize) your filtering level to actually get positive blocking.  The site I'm at right now actually uses the High setting without disrupting normal work activities.  The biggest advantage here has been that they run a call center and a few of the operators were going along at about 40% of what everyone else was doing, found out they were spending all day on facebook.  Killed that pretty quick when we turned this on.

But yeah, the minimal filtering level hardly blocks anything.  Once you up the filtering level give it a few minutes (about 5) and flush your DNS's cache and your local DNS cache again, then try a forbidden site.

Oops, scratch most of that, I see the always block list now... hurm.... perhaps try clearing the cache(s) again then attempting to get to MySpace

yeah i keep clearing it but no joy......surley it doesnt take two days to update, but i cant see anything wrong with my settings.

it only took about 24hrs. for this location (and I can't clearly remember the rest).  But no, I'm not seeing anything else wrong with your settings either.

still no joy, wondered whether the firewall or router may hold cache information?

Still no luck, open dns is providing pages for me but is providing no content filtering :(

that is indeed strange, like i said, it worked for me in under a day (less when I got used to clearing caches)

from one of your client computers, try running this "nslookup www.thisisafakeurl.com" and see what ip address it spits back.  For me it was 208.69.32.132, which is the IP for the OpenDNS Guide page (the search page).  You should get something similar if the client forwards its requests properly.  (you should also get the search page if you type that fake url in a browser's address bar)

it sounds like the dns query chain isn't quite right.
it should be like this:

client --> local AD/DNS server --> OpenDNS --> world wide DNS system

and it sounds more like your client is skipping either the local DNS server and going straight to OpenDNS --or-- its skipping both the local and OpenDNS and going straight to the traditional DNSs

208.67.217.132 is the address so don't think theres any problem there :(

are your clients using the same internet IP as your server is? in OpenDNS you have entered the server's public IP as one of "your networks," but if the clients use a totally different public IP I'd put it in as a network too.

I know I've said this one before, but even though I can read router configs all day long I still find the easiest way to confirm public side IPs is just to visit ipchicken.com from the machines in question.  It seems that you're using OpenDNS for name resolution, just that it isn't associating your requests with your network for site blocking.

My work stations network address is **.**248.66 and my server is **.**.248.67 i added both as networks, i thought they were part of the same network but they work, myspace is blocked, i cannot thank you enough.

Paul

i'm just sorry it took so long to think of that lil hiccup.

you're welcome, and good luck
--R

thanks alot its its a good system i've been having a play.

have good day
Paul