Block DNS requests through SBS 2003 gateway

Posted on 2012-09-06
Medium Priority
Last Modified: 2012-09-18

I've been asked to configure the gateway function in SBS 2003 so that users cannot use it as an alternate gateway to bypass our default gateway. I need to continue to use the RRAS services on the SBS box because of other remote access services that it provides.

Is it possible to put a filter on the SBS machine that will drop outgoing DNS requests from my internal clients?

I'm looking for the specific steps required to do this if it is feasible.

Question by:Maritimed
  • 3
  • 2
LVL 78

Expert Comment

by:Rob Williams
ID: 38372705
SBS 2003 has only 2 accepted configurations.
1.  2 NIC's and acts as the Gateway for the network
2.  1 NIC and it is just another device on the LAN

Are you wanting to stop clients from using the SBS as a gateway or not use it for DNS, 2 different things.  

If the SBS is properly configured with 2 NIC’s  and clients are using the router as the gateway they cannot access the SBS because they are on the WAN side of the server.  If the SBS has 1 NIC it can’t be a gateway. This cannot be changed.

As for DNS clients must point ONLY to the SBS, i.e. it must be the primary DNS server, and there cannot be an alternate unless you have another Windows DNS/DC server.  If you don’t have the SBS clients pointing to the SBS for DNS they cannot access the SBS, if you have an alternate DNS server in their configuration such as an ISP, router, or Google DNS, they will have slow logons, name resolution issues, and connect wizard failures.

Perhaps could you clarify what you want to do and the current configuration?

Author Comment

ID: 38372954
It is presently configured with 2 NICs.

It is providing all of the typical SBS functions such as email, remote access, logon, etc.

We are a technical shop with users that have to be able to make changes to their own network card settings as part of their jobs (setting up devices, testing etc.). Due to this, we cannot simply lock down their ability to manage the IP addressing of their computers.

We are attempting to configure what sites they can visit on the internet by using functionality provide by the OpenDNS servers. However, when the users can change their own IP addressing, they can also easily set the DNS server to something besides the OpenDNS servers. The thinking is that we would disallow external DNS calls to any but the IP addresses of the OpenDNS provided ones.

LVL 78

Expert Comment

by:Rob Williams
ID: 38373040
I appreciate your predicament.  A few possibilities:

You can lock down their PC's with group policy, but you say they need to be able to make changes?

If that is the case you could change the DNS forwarders on the SBS to be only that of OpenDNS, however that would affect all users' is that OK?
As I understand it the paid Open DNS service allows more granular control and you to set different rules for different users.  I have also heard the cost of the paid service has increased significantly.

You can also use DHCP ClassID's to assign different DNS servers to specific devices, but they would be able to change these this themselves if they wanted to.

You could add a second router and put them on a different network.

The ideal solution is to add a proxy server which will allow very tight control of users and allow monitoring of activity.

Author Comment

ID: 38373078
Thanks Rob.

The DNS forwarders are set to OpenDNS already.

We do have a second router available to us on the network, which we can lock down the DNS on (it is a Firebox).

Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.?
LVL 78

Accepted Solution

Rob Williams earned 2000 total points
ID: 38373120
>>"Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.? "
Yes by converting it to 1 NIC, but that does not affect DNS queries, it just disables it as a gateway/router.
If clients are to access it from the LAN it must manage DNS.  If the LAN users do not need to access it, pull the network LAN cable :-)

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question