Internal DNS

[dsimpaired]

I want to setup Internal DNS (forwarding only) and try to incorporate a host file that blocks spyware,adds, etc. I have a redhat 9 box running bind but not sure the best way to do this. I want to block port 53 at the firewall except for internal dns to force clients to receive dns internally. Can anyone suggest the best setup for Redhat 9 for this function? I have installed and started bind but can't seem to get it to function. When I nmap the server I can see port 53 but clients cant get any dns info. Any help would be appreciated.

 

[ShackDaddy]

Are you able to pull DNS info from the outside when you are on the server? I mean, is the server able to properly complete its own queries to outside sources?

 

[dsimpaired]

Yes, it queries outside and I have it working to the clients now. I have this host file with all of the spyware sites I want to block and instead of going to each client I would like to distribute this through DNS. Aside from creating an A record for each site is there a way to import or batch this info into a bind formatted file for the DNS server to use? I tried putting the host file on the server and when I ping from the server the host file works but the clients keep resolving the correct address. If I can import this host info into dns that would be the answer.

 

[minxca]

What firewall do you have? Can you enter the host file on your firewall?

 

[ShackDaddy]

So have you tried using NSLOOKUP from one of your clients to make sure that they are doing what you think they are doing? I would:

Go to a client. Run IPCONFIG /FlushDNS from the command prompt.

NSLOOKUP. Verify that the server that it points at is your RedHat9.

Punch in one of those blocked site addresses and see what your server returns.

It's likely that your server doesn't see itself as "authoritative" for the domains that you have in your host file, and is querying out to see if it can find a record with better credentials. You don't necessarily have to create new A records for the different remote hosts, but if you created empty zones (with just the default NS/SOA records) for each of the spyware domains, then your DNS server would be authoritative when it returns whatever it has in its cache about those domains, regardless of whether that info came from the host file or from the zone file.

ShackDaddy

 

[dsimpaired]

We have a firewall /content filter (sonicwall) and I don't think it can use a host file, it's pretty limited as far as setups go. Shack, when you say create empty zones what would that entail? Not sure how to do that and my host file has a huge amount of entries. I will try the dns cache purge when I get back in the office and will let you know, thanks for the input guys, greatly appreciated.

 

[ShackDaddy]

In your RedHat implementation of DNS (which I'm unfamiliar with), do you have to manually create and populate each zone file when you want to create a new domain on that DNS server, or is there some sort of wizard that will create the basic format for you. If there is a wizard, letting it do the minimum would probably be enough to have some "empty zones" (zones without any A records) on hand. I would still empty your client caches (and your server's cache, if you can figure out how) and then test using NSLOOKUP.

ShackDaddy

 

[GlenJohnson]

Try writing a batch file which would load the hosts file on the users machine, then send a mass e-mail pointing to the file.

cls
copy /y \\servername\foldername\hosts c:\windows

Name it whatever you want. I used hosts.bat for mine. Worked for me. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
TTinChicago
Johnson Computers

 

[bcastner]

Better locate the copied HOSTS to the right folder!
XP default: C:\windows\system32\drivers\etc
Win2k default: c:\winnt\drivers\etc

 

[bcastner]

The desired application sounds like a good use of SQUID for RedHat, of which there are several.

http://www.squid-cache.org/Doc/FAQ/FAQ.html