We help IT Professionals succeed at work.

block high level domains

I want to block certain high level domains via configurations on my windows 2003 DNS servers. How can I do this?
Comment
Watch Question

Commented:
Not sure what you mean, but you can claim to be authoritative for the domains and point users to whatever you want. That will block access to the domains in  question.
Top Expert 2011

Commented:
Do you mean blocking DNS resolution of particular TLD's?  Is there a specific reason you would want to do this?

Author

Commented:
I want to block all traffic going to russia and china for clients using my windows 2003 dns servers
Top Expert 2011

Commented:
Removing the ability to properly resolve .ru and .cn domains is not going to prevent traffic going to domains of those TLD's.  If you want to block all traffic to a specific IP or block of IP's, do so at your router or firewall.

If you do only want to block DNS resolution of domains under those TLD's, then as WalterH said you need to create dummy zones for those TLD's and make your internal DNS servers authoritative for them.

Keep in mind however, that if at some point in the future you need to send or receive mails to a .ru or .cn domain, you will not be able to.  If you ever have to interact with a customer in .ru or.cn, you will not be able to.  What I'm trying to say is, I don't think what you are doing is the best decision.  Block specific sites, sure.  Blocking entire countries?  Generally not a good business practice.

Commented:
As far as I know, this cannot be done using DNS servers. You can block all traffic for .cn and .ru domains, but if there is a .com domain that is in China, you cannot block it with DNS. I suggest you look at
http://www.parkansky.com/china.htm
for information about how to block traffic from China. You can use RRAS in Windows 2003 to block the ranges of addresses listed on that web site.

Author

Commented:
Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary.  So I create a primary zone in DNS ? Then what?

Author

Commented:
Is there a wild card I need to set at the domain name or just .ru or ?
Top Expert 2011

Commented:
Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary.  So I create a primary zone in DNS ? Then what?

OK as long as you are aware.  I'll bow out and let WalterH finish this one up.

Good luck!

Author

Commented:
I have a security team on-site requesting this be done.. I will search further

Commented:
It is as easy as creating a primary zone in DNS with the simple names of ru and cn. Then when someone does a DNS lookup for a name like pravda.ru, the server will respond that there is no such name and the site is blocked.
Commented:
Try using nslookup. As for  pravda.ru and you will get a response. Then add the primary domain ru (no dots, no extra levesl). After this is don, try the same nslookup and you will get a non-existant domain response, site blocked.

Author

Commented:
Im noticing when i do that NSlookup says non-authoritive like it should, but then looks like it forwards somewhere else and resolves it. iders?

Author

Commented:
got it all worked out - thxs