Link to home
Create AccountLog in
Avatar of Jon DeVito
Jon DeVito

asked on

Block a DNS domain lookup for certain users in Win2003 Server

Ok, so basically I needed to block certain domains from my corporate network. What I did was create those domains in my Windows 2003 Server AD integrated DNS, create A records pointing them to an internal webserver with a page that says something like "Sorry you can't go here from work". This works perfectly for what we were trying to accomplish. But now I have an issue where upper management wants to be able to get to some of these sites. Is there any way that I can tell the DNS that if these users, or their specific IP's, request these domains that they should not use the internal DNS to resolve those addresses? Either by blocking them from reading the DNS entries for those specific domains or by pointing them to a different DNS server just for those domains? I have both Mac & PC users needing to do this. There are only a few people that I need to do this for, so if it can't be done on the server level (which would be highly preferred), I would not mind going to their computers to fix the problem. Any way to get them off my back would be appreciated.

Thanks in advance.
JD
Avatar of ChristopherDunn
ChristopherDunn

Windows Server 2003 does not have this functionality in their DNS, but many other products do. Assuming you do not want to replace your current DNS system, you could also work out something if you wanted to run an additional DNS server for only those users. You could set this as the primary and have only the entries of these sites. You could set it to failover to the other server if the request didn't match any of those sites. I wouldn't recommend using a public DNS for this as that could cause tons of problems.

In any case, this is not really ideal at all - have you thought about filtering software (like websense)? DNS filtering is easy to override if the user is able to change their dns settings or host file. Not to mention the most obvious way to override: simply typing the IP address into their browser.

It's a little old school, but a simple edit on their hosts file would override any DNS entries. If you have a lot of sites this could be tedious and whenever a site changes its IP, it would break. If the users don't have different host files, you could keep a master host file and copy it with their logon scripts, though. Then you'd only need to change one file.
Avatar of Jon DeVito

ASKER

Thanks, I would look into WebSense but the cost is way too high as we have about 200 users. We need a no cost (or very low cost) solution. If I set up a second DNS server in the domain, won't the zones replicate? I looked at the zones I have now & I don't see an option of replicating only to certain servers. I already tried the host file way & it doesn't seem to work right on sites that have a lot of IP's like Facebook & MySpace, some things work & some things don't, probably because different parts of the site point to different IP's. None of my users are really capable of changing the DNS on their computer & we run monitoring software so I would see that they went somewhere that they weren't supposed to so I'm not too worried about that.
ASKER CERTIFIED SOLUTION
Avatar of ChristopherDunn
ChristopherDunn

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Gotcha. It would be nice to be able to block users from even seeing that zone, but if this is the only way I can do it I guess I'm stuck with a second DNS. Thanks for the help!

Jon