Solved

Facebook blocked by DNS A record. how to unblock on a single computer?

Posted on 2010-09-21
11
2,051 Views
Last Modified: 2012-05-10
I have created a DNS entry on the server so that facebook.com is pointed to nowhere. This has worked well and prevents most users from accessing the site (they are not to tech savvy).

I am required to allow a single user to access the site. I had hoped to acheive this by creating entries in that users hosts file. I have appended:

66.220.146.32   www.facebook.com
69.63.181.12    facebook.com
69.63.189.11    facebook.com
69.61.189.16    facebook.com
202.7.172.47    static.ak.fbcdn.net
67.19.113.186   login.facebook.com

to the hosts file. From that computer I can open facebook.com but upon logging in, the call to https://login.facebook.com fails. I have tried using fiddler to work out what is failing. The process stops on CONNECT.

Fiddler shows

HTTPS connection failed.

System.IO.IOException: The handshake failed due to an unexpected packet format.

Not sure what to do. Any help would be appreciated.

0
Comment
Question by:subversivetech
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 6

Expert Comment

by:expone
Comment Utility
You can try to add another DNS server (which will know about facebook) on that PC under LAN settings.
0
 

Author Comment

by:subversivetech
Comment Utility
I think the primary DNS server has to be the Domain Controller / DNS server, and it does know about facebook, so the secondary won't be looked at. It tells the client that facebook.com is at 0.0.0.0
0
 
LVL 6

Expert Comment

by:expone
Comment Utility
The primary DNS server has to be the Domain Controller / DNS server only while you are adding a PC to the domain.
Once your PC is part of the domain, you can change its primary DNS server, if you wish, and add the Domain Controller's IP address to the hosts file on that PC.
0
 

Author Comment

by:subversivetech
Comment Utility
If I do that, how will that pc know how to find the other machines and shares on the network?
0
 
LVL 2

Accepted Solution

by:
ntype earned 500 total points
Comment Utility
fiddling with DNS entries isn't a good idea as this doesn't really scale well if you consider disaster recovery, migrations or just usual maintenance. The ideal solution has to be transparent for the user and scalable.

So the set up filters to who can access where, the best and simplest way to acheive that is by setting up filters on either

1. the internet router in case of a small office (depending of your unit you'll have great options or nothing)
2. the proxy servers- Proxies are great at filtering traffic and limiting the amount of consumed bandwitch or even allocating certain time. For example allow 'facebook' for everyone but only at lunchtime. There are excellent free proxies that run under linux distributions that work seamlessly or use proprietary pieces of sofware (Microsoft ISA is really nice and could allow you to even publish securly your messaging servers for your mobile users).

So the ideal answer could require some work for you (you'll have to fix certain ip's to ensure best results however) but this will allow you to have a full control of any requests you may face.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 6

Expert Comment

by:expone
Comment Utility
If you change the primary DNS server, your PC will still know how to find other machines (and their shares) on the network, because those other machines are broadcasting their presence on the LAN by default.
The worst case scenario is that you will need to put their IP addresses (and names) into the hosts file on your PC. The nice thing is that it is easy to revert back to your primary Domain Controller / DNS server if anything fails.
0
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
The error you are getting does not sound like it is related to DNS (I suspect that your settings are correct) - you could confirm this by removing the hosts entries and resetting the DNS server back to normal to test this quickly. Can you confirm that there are no proxy server, firewalls etc that may be preventing the connection
0
 

Author Comment

by:subversivetech
Comment Utility
Yes as soon as I remove the hosts entries (and the DNS entry from the server), the error is gone.
0
 
LVL 5

Expert Comment

by:allan_jardine
Comment Utility
Can you access facebook from the server with the host entries applied to it?
0
 

Author Closing Comment

by:subversivetech
Comment Utility
Not exactly a solution to my problem, but good advice.

I will miss my quick and dirty DNS block. There are macs in the environment, so any GPO scripts etc just won't do the trick. The router has some IP filtering, so I will use that. Just a bit hard to get the IPs right with a site like Facebook that uses many. Not too mention that they probably change.

I came across a distro called untangle which looks great. I did not really want to add complexity to the environment just for the sake of blocking one site, but I may go down that roam.

Thanks all for your help.
0
 
LVL 2

Expert Comment

by:ntype
Comment Utility
Indeed if you have multiple different operating systems in your environment using policies to push settings on the client won't do the trick.
Sometimes adding complexity reduces the complexity !

Setting a proxy server for your users will greatly reduce the load that your router - you didn't specified but I suspect this is a medium office environment - is facing. On top of that it will allow you to effectively filter out potentially unsanfe and unwanted elements (ads, malware...).

After that you'll have to block every direct connection from your computer clients to the router and only allow the servers and proxy.
With this set up you'll ensure that even a malware/virus contaminated host inside your lan won't be able to use your internet connection 'directly' to spread over the internet or create unwanted internal malware servers - your router probably allows all outcoming traffic so a malware could connect to a botnet giving out an access to your network back.

May I suggest you to check out OpenDNS, as they could provides you supplementary means of filtering your traffic or helping you to shape a more secure and and performing internet environment for your internal clients.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now