MS Server 2008 R2: Use conditional forwarder to block websites?

I run a Windows Server 2008 R2 network with 2 DCs providing DNS and DHCP to about 65 internal users.  The DHCP licenses define the 'main' DC as the DNS server for the clients.  I have several dozen internal resources named and pointed as forward zones and then simply route all www. traffic to our ISP's DNS server first and Google's public DNS second via conditional forwarding.  Works as expected.

I'm experiencing more and more of a need to limit web traffic, specifically sites such as Spotify.  Would conditional forwarding be the preferred method to accomplish this?  If so, what might the setup look like?  I'm thinking forwarder #1 is for all www and then there's a second forwarder created for all www.spotify dns requests, a third for www.pandora requests, etc.  These blocking forwarders would not resolve for the user.   I feel certain I'm oversimplifying the process and wanted some feedback before I started poking around.
Who is Participating?
dhoffman_98Connect With a Mentor Commented:
No.. the "condition" is the root of the domain that your queries go to.

Any DNS queries that are not resolved by your local DNS server have to be redirected somewhere. If you don't have any other choices configured, then your server will go out to ask the Internet root hints hosts.

If you have a specific DNS source for a particular domain, then you create a conditional forwarder so that queries for that domain are directed to a particular DNS server.

For example if you are trying to query a host at, whether it's,, or, all of the "" queries will be addressed by the DNS server.
First, let's clarify something in your first paragraph. Setting your ISP's dns server as first resolver and Google's as a secondary, is not "conditional" forwarding.

As for your solution, yes you could do this, but you don't want to specify www.spotify or www.pandora... because those are not domain names. A conditional forwarder queries based on the domain name of the domain they are trying to reach, and then will send the host query for that domain to the specified server.

So... you could create a conditional forwarder for and and set them to point to (don't use 1)... or any other IP Address that does not resolve or can not be connected to. The result is that the query will fail and your client will not receive the IP address.

Be sure that your client workstations do not have rights to change their own network settings, or there's nothing stopping them from pointing directly to google's public DNS servers and bypassing yours.

Also note that if your users are aware of the proper IP address for the servers they want to go to, they can type in the IP address in their browser and bypass DNS completely.
Raj-GTSystems EngineerCommented:
What you are proposing will work fine in theory, as long as the user/application is using the dns name to browse and access the sites. This will not prevent them from using the IP address of the site. You should consider implementing a web proxy if you want a scalable solution.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

kmorrison65Author Commented:
I was under the impression that my conditional forwarder, which simply has the prefix www, was handling all dns requests not handled by my forward zones, in which the pointers all look like this: and resolve to a private address.  The 'condition' being the www prefix.  Is this not accurate?

Yes, I mistyped with  www.pandora, the intention would be to utilize domain names.  My concern is that all of these dead end DNS queries will somehow jam legitimate traffic.
kmorrison65Author Commented:
After consideration, I've decided to simply compile and block the problem addresses using an ACL applied to the outgoing interface on our Cisco router.  A little more involved but probably the best solution.
Are you blocking DNS requests, or connections to specific IP Addresses?

What happens when a company changes some of their IP Addresses?

What about your users getting a proper DNS result, and then attempting to connect, and instead being timed out waiting for a connection and getting an error page?

Block it at DNS and they would get back an error message saying that the domain can not be found.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.