DNS configuration question

I am not a DNS expert. I would classify myself as slightly above novice here. So I'm wondering if somebody here with much more knowledge on the subject can help me with this question. My goal here is to now allow a computer to "talk" to the outside world when I specify the DNS server in it's NIC settings. I would just like the PC to be able to talk to Active Directory and stay "internal" on our LAN, and be "blocked" from resolving things on the outside world.

Side Note : We have forwarders and root hints set up on the DNS server.

Is this possible?
RVFB ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

diperspCommented:
Possible, yes, but not advised in a domain situation.  All clients in a domain should point to the domain controller(s) ONLY for DNS.

Can you give a little more info as to why you want to do this?  Maybe we can find an alternative.
DrDave242Senior Support EngineerCommented:
I'm afraid there's no practical way to do this. Anytime your DNS server receives a query that it can't resolve, it's going to send it to the forwarders, then send the response back to the machine that issued the query. There's no mechanism for blocking external resolution from certain machines.

If you absolutely must do this, you could conceivably set up an additional DNS server to be used only by that one client. Remove any forwarders and root hints from that DNS server, and it won't be able to perform external resolution at all. You can configure zone transfers for the internal zones so that the client can still resolve everything internally. This is obviously not an efficient use of resources, though.

My goal here is to now allow a computer to "talk" to the outside world when I specify the DNS server in it's NIC settings.
BTW, I'm assuming you meant not allow. If you meant something else, please disregard my comment.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
diperspCommented:
Oh, I misinterpreted that.  You said "My goal here is to now allow a computer to "talk" to the outside world " - did you mean NOT allow?

Probably best way to handle this is via your firewall/router, not via DNS.  Any decent router should allow you to block all outbound traffic for a particular computer.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

pjamCommented:
You may want to investigate DNSSEC, available in windows 2008 and improved in Windows 2012.
Lots of info out there, overview at Technet:
https://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx
Here is 2012:
https://technet.microsoft.com/en-us/library/dn593694%28d=printer%29.aspx
footechCommented:
Blocking resolution of names on the internet would be difficult, but just blocking communication to those resources on the internet should be fairly easy.  As dipersp mentioned, a decent network firewall can handle this.  Another option is to just not set a default gateway in the NIC properties of the client machine - assuming you have a flat network, all on one subnet, then the client will be able to communicate with other machines on the LAN but won't know how to reach external IPs.
RVFB ITAuthor Commented:
i meant NOT allow...sorry about the typo there.... ha.. reading through the comments now
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.