Web site blocking in DNS

[MDJ52]

I have just set up Win2000 server and we seem to be running along fairly well. The 25 users all log into the domain. There is a brief logon script that defines the server hard drives for access by the users. My boss has asked that one of the features of DNS is to manage Internet access and can I set this up.
I believe this is done through DNS and then Forward Lookup Zones, but I am not sure.
It seems to me if I set up a new zone there is a way to define that zone as inaccessable.
Can anyone shed some light on this question?
How can I define specific webs and chat rooms as inaccessable?
Thanks
Mike

 

[GarethT]

Hi Mike,

Hmm You can use DNS to deny certain website access--however for the scale that you seem tow ant to deny sites--id suggest you use ISA server and some kindof plugin such as Websence or Webmarshall

if however there is only a couple of websites u want to ban then in theory you could ping the website to determin its IP address and then in DNS create a new host record for the website name that has an INCORRECT ip address assigned to it.
this way when the user types for instance -

http://www.yahoo.com

they will redirected to the host records ip address which uve entered as the wrong one.

There are probably other ways of doing this-however web site control is down to the proxy server in reality. MCSE NT&2K
CCNA/CCDA
CNA
ASE
NSP

 

[suedaisy]

Hi,
I was wondering if you could elaborate on this topic a bit more. I'd like to do something like this as well to our servers (we have a problem with a few people going to sport bidding sites), however I would have to create a new zone, correct?
how would i get that hosts name? i have the ip address..

Actually..
Can I get a step by step on how to do this? I'd really appreciate it.
Thank you!

 

[spool]

Hello Mike,

If you click on start>run and type in mmc you will get a blank Management Console. Click on Console and click on Add/Remove Snap-in.Click on the Add botton to open the Add/Stand alone Snap-in window and High light Group Policy,click on add, choose if you want this stored in Active Directory or local computer. Click Finish>close.
Click OK in the Add/Remove Snap-in window.

In the Console click on the + sign next to Local Computer Policy go down to Administrative Templates,click on the + to open. Go down to Windows Componets click on the + to open. Double click on Internet Explore. You will most likely find ways to Inable or Desable the Internet browsing features in here.

If you think this tip can help and you need more help reply to your thread here. I will check back.

Good Luck
spool

 

[hewissa]

Are you running a firewall between your domain and the internet? Why not filter the sites at the firewall? Hewissa

MCSE, CCNA, CIW

 

[Mcscotsman]

I agree with GarethT concerning the ISA suggestion. However, even if you put an incorrect entry in the DNS server, users can still access the site through IP or if a bit savvy, can put an entry in their hosts file that points to the correct IP.

 

[GarethT]

there are always ways round things.

I do a lot of consultancy for schools and colleges aswell as installing and configuring the systems.
Internet control is a very big part of that.

Youve got to assess your situation first.
are you a alrge company with many users?-how much control do you want over the users internet use

if you want complete control then your best off with ISA and third party plugin software.

if youve small office and want to deny 1 or 2 sites you can think of using software such as cyber patrol or DNS.
MCSE NT&2K,CCNA/CCDA,CNA,ASE,NSP