MS Server 2008 R2: Use conditional forwarder to block websites?

I run a Windows Server 2008 R2 network with 2 DCs providing DNS and DHCP to about 65 internal users.  The DHCP licenses define the 'main' DC as the DNS server for the clients.  I have several dozen internal resources named and pointed as forward zones and then simply route all www. traffic to our ISP's DNS server first and Google's public DNS second via conditional forwarding.  Works as expected.

I'm experiencing more and more of a need to limit web traffic, specifically sites such as Spotify.  Would conditional forwarding be the preferred method to accomplish this?  If so, what might the setup look like?  I'm thinking forwarder #1 is for all www and then there's a second forwarder created for all www.spotify dns requests, a third for www.pandora requests, etc.  These blocking forwarders would not resolve for the user.   I feel certain I'm oversimplifying the process and wanted some feedback before I started poking around.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First, let's clarify something in your first paragraph. Setting your ISP's dns server as first resolver and Google's as a secondary, is not "conditional" forwarding.

As for your solution, yes you could do this, but you don't want to specify www.spotify or www.pandora... because those are not domain names. A conditional forwarder queries based on the domain name of the domain they are trying to reach, and then will send the host query for that domain to the specified server.

So... you could create a conditional forwarder for and and set them to point to (don't use 1)... or any other IP Address that does not resolve or can not be connected to. The result is that the query will fail and your client will not receive the IP address.

Be sure that your client workstations do not have rights to change their own network settings, or there's nothing stopping them from pointing directly to google's public DNS servers and bypassing yours.

Also note that if your users are aware of the proper IP address for the servers they want to go to, they can type in the IP address in their browser and bypass DNS completely.
Raj-GTSystems EngineerCommented:
What you are proposing will work fine in theory, as long as the user/application is using the dns name to browse and access the sites. This will not prevent them from using the IP address of the site. You should consider implementing a web proxy if you want a scalable solution.

kmorrison65Author Commented:
I was under the impression that my conditional forwarder, which simply has the prefix www, was handling all dns requests not handled by my forward zones, in which the pointers all look like this: and resolve to a private address.  The 'condition' being the www prefix.  Is this not accurate?

Yes, I mistyped with  www.pandora, the intention would be to utilize domain names.  My concern is that all of these dead end DNS queries will somehow jam legitimate traffic.
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

No.. the "condition" is the root of the domain that your queries go to.

Any DNS queries that are not resolved by your local DNS server have to be redirected somewhere. If you don't have any other choices configured, then your server will go out to ask the Internet root hints hosts.

If you have a specific DNS source for a particular domain, then you create a conditional forwarder so that queries for that domain are directed to a particular DNS server.

For example if you are trying to query a host at, whether it's,, or, all of the "" queries will be addressed by the DNS server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kmorrison65Author Commented:
After consideration, I've decided to simply compile and block the problem addresses using an ACL applied to the outgoing interface on our Cisco router.  A little more involved but probably the best solution.
Are you blocking DNS requests, or connections to specific IP Addresses?

What happens when a company changes some of their IP Addresses?

What about your users getting a proper DNS result, and then attempting to connect, and instead being timed out waiting for a connection and getting an error page?

Block it at DNS and they would get back an error message saying that the domain can not be found.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.