how to set up a black and white list on the dns level

I'm trying to set up, on the dns level, a white list and black list that would allow me to black all but say three or four websites for a client.

The idea is to be able to, on the fly, edit in the future if need be.

any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A useable white list for DNS is hard implement because the client is going to need to access domain names not apparent from the address bar of a web browser.  For example, CRLs for certificates for signed code need to be checked, and software on the computer may need to update itself by visiting external sites (antivirus if you don't have an enterprise antivirus solution, for example).

Having said this, you can delete all root hints from your DNS server, configure it to not use recursion, and configure conditional fowarders for good domain names such that those queries are forwarded to a functional DNS server with the ability to use root hints.

You'll then need a way to force clients to use only your customized DNS server and prevent users from being able to edit local hosts files.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jwattsitAuthor Commented:
Is it recommended to use a firewall to block certain websites (facebook, youtube, etc) instead of creating a whitelist to enable only certain websites?

What is the best method/recommended method if DNS is hard to implement?  Is software or hardware usually purchased in addition to the existing Windows Server and basic firewall?
using DNS to control web access is not great for loads of reasons:
there are many ways to bypass it
its takes a lot of admin
you'll struggle with certain websites that consist of elements from multipe locations on the internet.

there are several free proxy programs available but proper paid ones are more configurable and better at the job.
some firewalls have basic webfilters built in and are pretty good. I'd use those if your firewall has the facility.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.