Link to home
Start Free TrialLog in
Avatar of kmorrison65
kmorrison65

asked on

MS Server 2008 R2: Use conditional forwarder to block websites?

I run a Windows Server 2008 R2 network with 2 DCs providing DNS and DHCP to about 65 internal users.  The DHCP licenses define the 'main' DC as the DNS server for the clients.  I have several dozen internal resources named and pointed as forward zones and then simply route all www. traffic to our ISP's DNS server first and Google's public DNS second via conditional forwarding.  Works as expected.

I'm experiencing more and more of a need to limit web traffic, specifically sites such as Spotify.  Would conditional forwarding be the preferred method to accomplish this?  If so, what might the setup look like?  I'm thinking forwarder #1 is for all www and then there's a second forwarder created for all www.spotify dns requests, a third for www.pandora requests, etc.  These blocking forwarders would not resolve for the user.   I feel certain I'm oversimplifying the process and wanted some feedback before I started poking around.
Avatar of dhoffman_98
dhoffman_98
Flag of United States of America image

First, let's clarify something in your first paragraph. Setting your ISP's dns server as first resolver and Google's as a secondary, is not "conditional" forwarding.

As for your solution, yes you could do this, but you don't want to specify www.spotify or www.pandora... because those are not domain names. A conditional forwarder queries based on the domain name of the domain they are trying to reach, and then will send the host query for that domain to the specified server.

So... you could create a conditional forwarder for spotify.com and pandora.com and set them to point to 127.0.0.2 (don't use 1)... or any other IP Address that does not resolve or can not be connected to. The result is that the query will fail and your client will not receive the IP address.

Be sure that your client workstations do not have rights to change their own network settings, or there's nothing stopping them from pointing directly to google's public DNS servers and bypassing yours.

Also note that if your users are aware of the proper IP address for the servers they want to go to, they can type in the IP address in their browser and bypass DNS completely.
Avatar of Raj-GT
What you are proposing will work fine in theory, as long as the user/application is using the dns name to browse and access the sites. This will not prevent them from using the IP address of the site. You should consider implementing a web proxy if you want a scalable solution.

Thanks,
Raj
Avatar of kmorrison65
kmorrison65

ASKER

I was under the impression that my conditional forwarder, which simply has the prefix www, was handling all dns requests not handled by my forward zones, in which the pointers all look like this: helpdesk.ourdomain.com and resolve to a private address.  The 'condition' being the www prefix.  Is this not accurate?

Yes, I mistyped with  www.pandora, the intention would be to utilize domain names.  My concern is that all of these dead end DNS queries will somehow jam legitimate traffic.
ASKER CERTIFIED SOLUTION
Avatar of dhoffman_98
dhoffman_98
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
After consideration, I've decided to simply compile and block the problem addresses using an ACL applied to the outgoing interface on our Cisco router.  A little more involved but probably the best solution.
Are you blocking DNS requests, or connections to specific IP Addresses?

What happens when a company changes some of their IP Addresses?

What about your users getting a proper DNS result, and then attempting to connect, and instead being timed out waiting for a connection and getting an error page?

Block it at DNS and they would get back an error message saying that the domain can not be found.