• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2130
  • Last Modified:

Facebook blocked by DNS A record. how to unblock on a single computer?

I have created a DNS entry on the server so that facebook.com is pointed to nowhere. This has worked well and prevents most users from accessing the site (they are not to tech savvy).

I am required to allow a single user to access the site. I had hoped to acheive this by creating entries in that users hosts file. I have appended:

66.220.146.32   www.facebook.com
69.63.181.12    facebook.com
69.63.189.11    facebook.com
69.61.189.16    facebook.com
202.7.172.47    static.ak.fbcdn.net
67.19.113.186   login.facebook.com

to the hosts file. From that computer I can open facebook.com but upon logging in, the call to https://login.facebook.com fails. I have tried using fiddler to work out what is failing. The process stops on CONNECT.

Fiddler shows

HTTPS connection failed.

System.IO.IOException: The handshake failed due to an unexpected packet format.

Not sure what to do. Any help would be appreciated.

0
subversivetech
Asked:
subversivetech
  • 4
  • 3
  • 2
  • +1
1 Solution
 
exponeCommented:
You can try to add another DNS server (which will know about facebook) on that PC under LAN settings.
0
 
subversivetechAuthor Commented:
I think the primary DNS server has to be the Domain Controller / DNS server, and it does know about facebook, so the secondary won't be looked at. It tells the client that facebook.com is at 0.0.0.0
0
 
exponeCommented:
The primary DNS server has to be the Domain Controller / DNS server only while you are adding a PC to the domain.
Once your PC is part of the domain, you can change its primary DNS server, if you wish, and add the Domain Controller's IP address to the hosts file on that PC.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
subversivetechAuthor Commented:
If I do that, how will that pc know how to find the other machines and shares on the network?
0
 
ntypeCommented:
fiddling with DNS entries isn't a good idea as this doesn't really scale well if you consider disaster recovery, migrations or just usual maintenance. The ideal solution has to be transparent for the user and scalable.

So the set up filters to who can access where, the best and simplest way to acheive that is by setting up filters on either

1. the internet router in case of a small office (depending of your unit you'll have great options or nothing)
2. the proxy servers- Proxies are great at filtering traffic and limiting the amount of consumed bandwitch or even allocating certain time. For example allow 'facebook' for everyone but only at lunchtime. There are excellent free proxies that run under linux distributions that work seamlessly or use proprietary pieces of sofware (Microsoft ISA is really nice and could allow you to even publish securly your messaging servers for your mobile users).

So the ideal answer could require some work for you (you'll have to fix certain ip's to ensure best results however) but this will allow you to have a full control of any requests you may face.
0
 
exponeCommented:
If you change the primary DNS server, your PC will still know how to find other machines (and their shares) on the network, because those other machines are broadcasting their presence on the LAN by default.
The worst case scenario is that you will need to put their IP addresses (and names) into the hosts file on your PC. The nice thing is that it is easy to revert back to your primary Domain Controller / DNS server if anything fails.
0
 
allan_jardineCommented:
The error you are getting does not sound like it is related to DNS (I suspect that your settings are correct) - you could confirm this by removing the hosts entries and resetting the DNS server back to normal to test this quickly. Can you confirm that there are no proxy server, firewalls etc that may be preventing the connection
0
 
subversivetechAuthor Commented:
Yes as soon as I remove the hosts entries (and the DNS entry from the server), the error is gone.
0
 
allan_jardineCommented:
Can you access facebook from the server with the host entries applied to it?
0
 
subversivetechAuthor Commented:
Not exactly a solution to my problem, but good advice.

I will miss my quick and dirty DNS block. There are macs in the environment, so any GPO scripts etc just won't do the trick. The router has some IP filtering, so I will use that. Just a bit hard to get the IPs right with a site like Facebook that uses many. Not too mention that they probably change.

I came across a distro called untangle which looks great. I did not really want to add complexity to the environment just for the sake of blocking one site, but I may go down that roam.

Thanks all for your help.
0
 
ntypeCommented:
Indeed if you have multiple different operating systems in your environment using policies to push settings on the client won't do the trick.
Sometimes adding complexity reduces the complexity !

Setting a proxy server for your users will greatly reduce the load that your router - you didn't specified but I suspect this is a medium office environment - is facing. On top of that it will allow you to effectively filter out potentially unsanfe and unwanted elements (ads, malware...).

After that you'll have to block every direct connection from your computer clients to the router and only allow the servers and proxy.
With this set up you'll ensure that even a malware/virus contaminated host inside your lan won't be able to use your internet connection 'directly' to spread over the internet or create unwanted internal malware servers - your router probably allows all outcoming traffic so a malware could connect to a botnet giving out an access to your network back.

May I suggest you to check out OpenDNS, as they could provides you supplementary means of filtering your traffic or helping you to shape a more secure and and performing internet environment for your internal clients.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now