DEFclub
asked on
block high level domains
I want to block certain high level domains via configurations on my windows 2003 DNS servers. How can I do this?
WalterH
Not sure what you mean, but you can claim to be authoritative for the domains and point users to whatever you want. That will block access to the domains in question.
Do you mean blocking DNS resolution of particular TLD's? Is there a specific reason you would want to do this?
ASKER
I want to block all traffic going to russia and china for clients using my windows 2003 dns servers
Removing the ability to properly resolve .ru and .cn domains is not going to prevent traffic going to domains of those TLD's. If you want to block all traffic to a specific IP or block of IP's, do so at your router or firewall.
If you do only want to block DNS resolution of domains under those TLD's, then as WalterH said you need to create dummy zones for those TLD's and make your internal DNS servers authoritative for them.
Keep in mind however, that if at some point in the future you need to send or receive mails to a .ru or .cn domain, you will not be able to. If you ever have to interact with a customer in .ru or.cn, you will not be able to. What I'm trying to say is, I don't think what you are doing is the best decision. Block specific sites, sure. Blocking entire countries? Generally not a good business practice.
If you do only want to block DNS resolution of domains under those TLD's, then as WalterH said you need to create dummy zones for those TLD's and make your internal DNS servers authoritative for them.
Keep in mind however, that if at some point in the future you need to send or receive mails to a .ru or .cn domain, you will not be able to. If you ever have to interact with a customer in .ru or.cn, you will not be able to. What I'm trying to say is, I don't think what you are doing is the best decision. Block specific sites, sure. Blocking entire countries? Generally not a good business practice.
As far as I know, this cannot be done using DNS servers. You can block all traffic for .cn and .ru domains, but if there is a .com domain that is in China, you cannot block it with DNS. I suggest you look at
http://www.parkansky.com/china.htm
for information about how to block traffic from China. You can use RRAS in Windows 2003 to block the ranges of addresses listed on that web site.
http://www.parkansky.com/china.htm
for information about how to block traffic from China. You can use RRAS in Windows 2003 to block the ranges of addresses listed on that web site.
ASKER
Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary. So I create a primary zone in DNS ? Then what?
ASKER
Is there a wild card I need to set at the domain name or just .ru or ?
Yep, I’m completely aware of the ramifications of blocking those HLDs; this is temporary. So I create a primary zone in DNS ? Then what?
OK as long as you are aware. I'll bow out and let WalterH finish this one up.
Good luck!
ASKER
I have a security team on-site requesting this be done.. I will search further
It is as easy as creating a primary zone in DNS with the simple names of ru and cn. Then when someone does a DNS lookup for a name like pravda.ru, the server will respond that there is no such name and the site is blocked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im noticing when i do that NSlookup says non-authoritive like it should, but then looks like it forwards somewhere else and resolves it. iders?
ASKER
got it all worked out - thxs