Block DNS requests through SBS 2003 gateway

Posted on 2012-09-06
Last Modified: 2012-09-18

I've been asked to configure the gateway function in SBS 2003 so that users cannot use it as an alternate gateway to bypass our default gateway. I need to continue to use the RRAS services on the SBS box because of other remote access services that it provides.

Is it possible to put a filter on the SBS machine that will drop outgoing DNS requests from my internal clients?

I'm looking for the specific steps required to do this if it is feasible.

Question by:Maritimed
    LVL 77

    Expert Comment

    by:Rob Williams
    SBS 2003 has only 2 accepted configurations.
    1.  2 NIC's and acts as the Gateway for the network
    2.  1 NIC and it is just another device on the LAN

    Are you wanting to stop clients from using the SBS as a gateway or not use it for DNS, 2 different things.  

    If the SBS is properly configured with 2 NIC’s  and clients are using the router as the gateway they cannot access the SBS because they are on the WAN side of the server.  If the SBS has 1 NIC it can’t be a gateway. This cannot be changed.

    As for DNS clients must point ONLY to the SBS, i.e. it must be the primary DNS server, and there cannot be an alternate unless you have another Windows DNS/DC server.  If you don’t have the SBS clients pointing to the SBS for DNS they cannot access the SBS, if you have an alternate DNS server in their configuration such as an ISP, router, or Google DNS, they will have slow logons, name resolution issues, and connect wizard failures.

    Perhaps could you clarify what you want to do and the current configuration?

    Author Comment

    It is presently configured with 2 NICs.

    It is providing all of the typical SBS functions such as email, remote access, logon, etc.

    We are a technical shop with users that have to be able to make changes to their own network card settings as part of their jobs (setting up devices, testing etc.). Due to this, we cannot simply lock down their ability to manage the IP addressing of their computers.

    We are attempting to configure what sites they can visit on the internet by using functionality provide by the OpenDNS servers. However, when the users can change their own IP addressing, they can also easily set the DNS server to something besides the OpenDNS servers. The thinking is that we would disallow external DNS calls to any but the IP addresses of the OpenDNS provided ones.

    LVL 77

    Expert Comment

    by:Rob Williams
    I appreciate your predicament.  A few possibilities:

    You can lock down their PC's with group policy, but you say they need to be able to make changes?

    If that is the case you could change the DNS forwarders on the SBS to be only that of OpenDNS, however that would affect all users' is that OK?
    As I understand it the paid Open DNS service allows more granular control and you to set different rules for different users.  I have also heard the cost of the paid service has increased significantly.

    You can also use DHCP ClassID's to assign different DNS servers to specific devices, but they would be able to change these this themselves if they wanted to.

    You could add a second router and put them on a different network.

    The ideal solution is to add a proxy server which will allow very tight control of users and allow monitoring of activity.

    Author Comment

    Thanks Rob.

    The DNS forwarders are set to OpenDNS already.

    We do have a second router available to us on the network, which we can lock down the DNS on (it is a Firebox).

    Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.?
    LVL 77

    Accepted Solution

    >>"Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.? "
    Yes by converting it to 1 NIC, but that does not affect DNS queries, it just disables it as a gateway/router.
    If clients are to access it from the LAN it must manage DNS.  If the LAN users do not need to access it, pull the network LAN cable :-)

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
    You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now