DNS filtering solutions

Patrick Reed
Patrick Reed used Ask the Experts™
on
What are the most affordable DNS filtering solution around right now? currently I'm paying about $1 per user but im trying to leave that Vendor.

I know the Synology router has Content Filtering built in but I'm not looking to replace the Cisco 2801 currently being used.

Is there such a thing as an Open source filter out there?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
pi-hole?   https://pi-hole.net/   (it can be run on a VM if you like, or on a Raspberry PI).

Commented:
opendns.com   (not open source)

Filtering at the DNS level is easy to apply organization wide, but It won't remove an infection. However, it's an effective method of malware containment. Notice if users don't actually use your DNS servers for lookup, they may be able to bypass filtering.

Author

Commented:
I forgot to add that it will be in an Active directory domain environment with the DC currently serving DHCP and DNS
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Software Engineer
Distinguished Expert 2018
Commented:
You can forward queries to any DNS solution you like. either pi-hole or opendns.com or whatever.

Your workstations should ONLY query your AD DNS server.

Author

Commented:
does pi hole have it's own list of known bad sites or is it strictly whitelist/blacklist?

also, is it possible to filter differently per workstation? for example allow upper management more access

I'll definitely look into this solution some more. I'll have to throw it on a vm and check it out
nociSoftware Engineer
Distinguished Expert 2018

Commented:
You can use both a private list and use publicly available lists.
Pi-hole makes no difference / workstation but you could run several pi-holes at the same time as VM's ... (only 512MB memory needed, possibly less).

Author

Commented:
I'm sure I could figure this out if I pondered long enough but how would I set up multiple pi holes for this? would I be telling the AD DNS to forward to a different pi hole based on security groups?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Well each get their own address and you assign DNS ip address by function of the system.....
pi-hole-1 Very restrictive (everyone)
pi-hole-2 allows Social media (f.e.)   (for the communication dept...)
pi-hole-3 allows ...?

etc. etc.
Possibly you can assign those using DHCP, or using policies.

If each pi-hole uses your AD-DNS as upstream (nothing else) then the rule for AD is been fulfilled as well.

Author

Commented:
can I set up a management OU and direct a second scope to those computers?

In reality, there are two of these PC's so I could really statically assign them.

for learning purposes, what's the best method if that were not practical?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
I am not a windows expert...., so that needs to be answered by someone else...
(My guess would be that some policy would scale a lot easier than manual labour...)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial