Solved

Facebook blocked by DNS A record. how to unblock on a single computer?

Posted on 2010-09-21
11
2,092 Views
Last Modified: 2012-05-10
I have created a DNS entry on the server so that facebook.com is pointed to nowhere. This has worked well and prevents most users from accessing the site (they are not to tech savvy).

I am required to allow a single user to access the site. I had hoped to acheive this by creating entries in that users hosts file. I have appended:

66.220.146.32   www.facebook.com
69.63.181.12    facebook.com
69.63.189.11    facebook.com
69.61.189.16    facebook.com
202.7.172.47    static.ak.fbcdn.net
67.19.113.186   login.facebook.com

to the hosts file. From that computer I can open facebook.com but upon logging in, the call to https://login.facebook.com fails. I have tried using fiddler to work out what is failing. The process stops on CONNECT.

Fiddler shows

HTTPS connection failed.

System.IO.IOException: The handshake failed due to an unexpected packet format.

Not sure what to do. Any help would be appreciated.

0
Comment
Question by:subversivetech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 6

Expert Comment

by:expone
ID: 33723811
You can try to add another DNS server (which will know about facebook) on that PC under LAN settings.
0
 

Author Comment

by:subversivetech
ID: 33723891
I think the primary DNS server has to be the Domain Controller / DNS server, and it does know about facebook, so the secondary won't be looked at. It tells the client that facebook.com is at 0.0.0.0
0
 
LVL 6

Expert Comment

by:expone
ID: 33723956
The primary DNS server has to be the Domain Controller / DNS server only while you are adding a PC to the domain.
Once your PC is part of the domain, you can change its primary DNS server, if you wish, and add the Domain Controller's IP address to the hosts file on that PC.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:subversivetech
ID: 33723977
If I do that, how will that pc know how to find the other machines and shares on the network?
0
 
LVL 2

Accepted Solution

by:
ntype earned 500 total points
ID: 33723999
fiddling with DNS entries isn't a good idea as this doesn't really scale well if you consider disaster recovery, migrations or just usual maintenance. The ideal solution has to be transparent for the user and scalable.

So the set up filters to who can access where, the best and simplest way to acheive that is by setting up filters on either

1. the internet router in case of a small office (depending of your unit you'll have great options or nothing)
2. the proxy servers- Proxies are great at filtering traffic and limiting the amount of consumed bandwitch or even allocating certain time. For example allow 'facebook' for everyone but only at lunchtime. There are excellent free proxies that run under linux distributions that work seamlessly or use proprietary pieces of sofware (Microsoft ISA is really nice and could allow you to even publish securly your messaging servers for your mobile users).

So the ideal answer could require some work for you (you'll have to fix certain ip's to ensure best results however) but this will allow you to have a full control of any requests you may face.
0
 
LVL 6

Expert Comment

by:expone
ID: 33724113
If you change the primary DNS server, your PC will still know how to find other machines (and their shares) on the network, because those other machines are broadcasting their presence on the LAN by default.
The worst case scenario is that you will need to put their IP addresses (and names) into the hosts file on your PC. The nice thing is that it is easy to revert back to your primary Domain Controller / DNS server if anything fails.
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33724114
The error you are getting does not sound like it is related to DNS (I suspect that your settings are correct) - you could confirm this by removing the hosts entries and resetting the DNS server back to normal to test this quickly. Can you confirm that there are no proxy server, firewalls etc that may be preventing the connection
0
 

Author Comment

by:subversivetech
ID: 33724191
Yes as soon as I remove the hosts entries (and the DNS entry from the server), the error is gone.
0
 
LVL 5

Expert Comment

by:allan_jardine
ID: 33724238
Can you access facebook from the server with the host entries applied to it?
0
 

Author Closing Comment

by:subversivetech
ID: 33724444
Not exactly a solution to my problem, but good advice.

I will miss my quick and dirty DNS block. There are macs in the environment, so any GPO scripts etc just won't do the trick. The router has some IP filtering, so I will use that. Just a bit hard to get the IPs right with a site like Facebook that uses many. Not too mention that they probably change.

I came across a distro called untangle which looks great. I did not really want to add complexity to the environment just for the sake of blocking one site, but I may go down that roam.

Thanks all for your help.
0
 
LVL 2

Expert Comment

by:ntype
ID: 33724960
Indeed if you have multiple different operating systems in your environment using policies to push settings on the client won't do the trick.
Sometimes adding complexity reduces the complexity !

Setting a proxy server for your users will greatly reduce the load that your router - you didn't specified but I suspect this is a medium office environment - is facing. On top of that it will allow you to effectively filter out potentially unsanfe and unwanted elements (ads, malware...).

After that you'll have to block every direct connection from your computer clients to the router and only allow the servers and proxy.
With this set up you'll ensure that even a malware/virus contaminated host inside your lan won't be able to use your internet connection 'directly' to spread over the internet or create unwanted internal malware servers - your router probably allows all outcoming traffic so a malware could connect to a botnet giving out an access to your network back.

May I suggest you to check out OpenDNS, as they could provides you supplementary means of filtering your traffic or helping you to shape a more secure and and performing internet environment for your internal clients.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question