Link to home
Create AccountLog in
Avatar of DEFclub
DEFclub

asked on

block high level domains

I want to block certain high level domains via configurations on my windows 2003 DNS servers. How can I do this?
Avatar of WalterH
WalterH
Flag of United States of America image

Not sure what you mean, but you can claim to be authoritative for the domains and point users to whatever you want. That will block access to the domains in  question.
Do you mean blocking DNS resolution of particular TLD's?  Is there a specific reason you would want to do this?
Avatar of DEFclub
DEFclub

ASKER

I want to block all traffic going to russia and china for clients using my windows 2003 dns servers
Removing the ability to properly resolve .ru and .cn domains is not going to prevent traffic going to domains of those TLD's.  If you want to block all traffic to a specific IP or block of IP's, do so at your router or firewall.

If you do only want to block DNS resolution of domains under those TLD's, then as WalterH said you need to create dummy zones for those TLD's and make your internal DNS servers authoritative for them.

Keep in mind however, that if at some point in the future you need to send or receive mails to a .ru or .cn domain, you will not be able to.  If you ever have to interact with a customer in .ru or.cn, you will not be able to.  What I'm trying to say is, I don't think what you are doing is the best decision.  Block specific sites, sure.  Blocking entire countries?  Generally not a good business practice.
As far as I know, this cannot be done using DNS servers. You can block all traffic for .cn and .ru domains, but if there is a .com domain that is in China, you cannot block it with DNS. I suggest you look at
http://www.parkansky.com/china.htm
for information about how to block traffic from China. You can use RRAS in Windows 2003 to block the ranges of addresses listed on that web site.
Avatar of DEFclub

ASKER

Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary.  So I create a primary zone in DNS ? Then what?
Avatar of DEFclub

ASKER

Is there a wild card I need to set at the domain name or just .ru or ?
Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary.  So I create a primary zone in DNS ? Then what?

OK as long as you are aware.  I'll bow out and let WalterH finish this one up.

Good luck!
Avatar of DEFclub

ASKER

I have a security team on-site requesting this be done.. I will search further
It is as easy as creating a primary zone in DNS with the simple names of ru and cn. Then when someone does a DNS lookup for a name like pravda.ru, the server will respond that there is no such name and the site is blocked.
ASKER CERTIFIED SOLUTION
Avatar of WalterH
WalterH
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of DEFclub

ASKER

Im noticing when i do that NSlookup says non-authoritive like it should, but then looks like it forwards somewhere else and resolves it. iders?
Avatar of DEFclub

ASKER

got it all worked out - thxs