Make DNS Server use local hosts file to answer queries

ddiazp
ddiazp used Ask the Experts™
on
We have a Microsoft Windows 2008 DNS Server resolving queries for our corporate network.

What I want to do is edit the hosts file in that server ONLY, and have DNS use that hosts file to help resolve queries from DNS (like a black-hole DNS, for site blocking)

For example, the server gets a query for facebook.com, and the DNS server will try to find that domain in the hosts file, and respond with its assigned IP address, etc.

I'm aware of opendns.org, creating forward zones for each domain I want to block, conditional forwarding, create a Domain Policy to propagate the hosts file, but I don't find them practical as I have hundreds of sites to block and modifying Domain Policys for me is a no no. I also don't want to invest on ISA or any other Proxy-like appliance/server.

What I want is to have DNS use its own local hosts file to answer queries.

PS: I was told I could do it under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS  but there are no priority settings there..

Any clue? I'm sure I have done something like this in the past so sure it can be done.

Regards, and thanks in advance,

D
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason WatkinsIT Project Leader

Commented:
Hello,

Here is one example for the client-side of things: http://smallvoid.com/article/windows-hosts-file.html

and another: http://www.mvps.org/winhelp2002/hosts.htm

/F

Author

Commented:
Thanks for the answer.

However, like I said before, I don't want to do any configuration on any client (as I have hundreds, this is not practical). I want to only edit the hosts file on the DNS Server itself, and have the server use its own hosts file to resolve.

I never saw anything like that for Windows dns, I saw proxy services that you could run - you said you are trying to avoid that.

So you would be fine editing a hosts file for blocking sites/domains, but not setting up zones for them in dns? What difference do you see between the two.

You could have a batch file BlockThisDomain.com which takes input (%1) and run dnscmd /createdomain %1 (or whatever the correct syntax is), then add some fake records. Seems that would be just as easy as editing a single hosts file.  


Thanks,
Mark
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

host files are for a client to resolve a host, not a way for a host to resolve for another host, that what Dynamic Name Services are all about..

You'll need to create a ptr (pointer) in your DNS server to reflect the name of the service you want against its IP address, so other clients using this DNS service, get the correct IP..

In older version of DNS services, you could add a host file (or services file) which would provide a lookup, however now-a-days with Active directory integrated DNS services, that manual editing of text files is not required. Just use the DNS server option in Administrative tools to make/remove entries..

make that Domain Name services, I need food..
Jason WatkinsIT Project Leader
Commented:
Sure,

The DNS server will look at it's own zone database to answer queries, you know this, however when it comes to blocking a specific domain, the process is zone db, dns cache, recursion.  Check the 'boot' file option to load a BIND file at DNS startup.  Perhaps you could fake out your own DNS server.  

http://technet.microsoft.com/en-us/library/cc775637%28WS.10%29.aspx

Author

Commented:
Thanks all for the quick replies.

We'll evaluate what's the best way to go and accept a solution accordingly.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You also have the Global Query Block List if you wish to use that (available in 2008 and the latest versions of 2003).

http://technet.microsoft.com/en-us/library/cc794902(WS.10).aspx

It stores the block list in the registry, so is likely to be limited to 1Mb in size. You can fit a lot of text into 1Mb though.

However, as that drops the query entirely it may not be the functionality you're after.

Chris

Commented:
What are you thinking Chris, an internet proxy server?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

No the query block list is built into the 2003 (undocumented) / 2008 DNS service. It would work, to a limited extent, for this :)

Chris
on re reading, does the root zone file help fulfil your request?

Author

Commented:
thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial