Maritimed
asked on
Block DNS requests through SBS 2003 gateway
Hello,
I've been asked to configure the gateway function in SBS 2003 so that users cannot use it as an alternate gateway to bypass our default gateway. I need to continue to use the RRAS services on the SBS box because of other remote access services that it provides.
Is it possible to put a filter on the SBS machine that will drop outgoing DNS requests from my internal clients?
I'm looking for the specific steps required to do this if it is feasible.
Thanks!
I've been asked to configure the gateway function in SBS 2003 so that users cannot use it as an alternate gateway to bypass our default gateway. I need to continue to use the RRAS services on the SBS box because of other remote access services that it provides.
Is it possible to put a filter on the SBS machine that will drop outgoing DNS requests from my internal clients?
I'm looking for the specific steps required to do this if it is feasible.
Thanks!
ASKER
It is presently configured with 2 NICs.
It is providing all of the typical SBS functions such as email, remote access, logon, etc.
We are a technical shop with users that have to be able to make changes to their own network card settings as part of their jobs (setting up devices, testing etc.). Due to this, we cannot simply lock down their ability to manage the IP addressing of their computers.
We are attempting to configure what sites they can visit on the internet by using functionality provide by the OpenDNS servers. However, when the users can change their own IP addressing, they can also easily set the DNS server to something besides the OpenDNS servers. The thinking is that we would disallow external DNS calls to any but the IP addresses of the OpenDNS provided ones.
Thanks!
It is providing all of the typical SBS functions such as email, remote access, logon, etc.
We are a technical shop with users that have to be able to make changes to their own network card settings as part of their jobs (setting up devices, testing etc.). Due to this, we cannot simply lock down their ability to manage the IP addressing of their computers.
We are attempting to configure what sites they can visit on the internet by using functionality provide by the OpenDNS servers. However, when the users can change their own IP addressing, they can also easily set the DNS server to something besides the OpenDNS servers. The thinking is that we would disallow external DNS calls to any but the IP addresses of the OpenDNS provided ones.
Thanks!
I appreciate your predicament. A few possibilities:
You can lock down their PC's with group policy, but you say they need to be able to make changes?
If that is the case you could change the DNS forwarders on the SBS to be only that of OpenDNS, however that would affect all users' is that OK?
As I understand it the paid Open DNS service allows more granular control and you to set different rules for different users. I have also heard the cost of the paid service has increased significantly.
You can also use DHCP ClassID's to assign different DNS servers to specific devices, but they would be able to change these this themselves if they wanted to.
You could add a second router and put them on a different network.
The ideal solution is to add a proxy server which will allow very tight control of users and allow monitoring of activity.
You can lock down their PC's with group policy, but you say they need to be able to make changes?
If that is the case you could change the DNS forwarders on the SBS to be only that of OpenDNS, however that would affect all users' is that OK?
As I understand it the paid Open DNS service allows more granular control and you to set different rules for different users. I have also heard the cost of the paid service has increased significantly.
You can also use DHCP ClassID's to assign different DNS servers to specific devices, but they would be able to change these this themselves if they wanted to.
You could add a second router and put them on a different network.
The ideal solution is to add a proxy server which will allow very tight control of users and allow monitoring of activity.
ASKER
Thanks Rob.
The DNS forwarders are set to OpenDNS already.
We do have a second router available to us on the network, which we can lock down the DNS on (it is a Firebox).
Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.?
The DNS forwarders are set to OpenDNS already.
We do have a second router available to us on the network, which we can lock down the DNS on (it is a Firebox).
Is it possible to turn off the routing function from the LAN on the SBS box and still retain its functionality for remote access, email etc.?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. 2 NIC's and acts as the Gateway for the network
2. 1 NIC and it is just another device on the LAN
Are you wanting to stop clients from using the SBS as a gateway or not use it for DNS, 2 different things.
If the SBS is properly configured with 2 NIC’s and clients are using the router as the gateway they cannot access the SBS because they are on the WAN side of the server. If the SBS has 1 NIC it can’t be a gateway. This cannot be changed.
As for DNS clients must point ONLY to the SBS, i.e. it must be the primary DNS server, and there cannot be an alternate unless you have another Windows DNS/DC server. If you don’t have the SBS clients pointing to the SBS for DNS they cannot access the SBS, if you have an alternate DNS server in their configuration such as an ISP, router, or Google DNS, they will have slow logons, name resolution issues, and connect wizard failures.
Perhaps could you clarify what you want to do and the current configuration?