Implement DNS filtering

dns-hostingdomain-name-system

I was wondering what would be the best way to implement DNS filterting.

The scenario is this: we need to setup two custom DNS servers to use on our company's computers so that we can filter DNS requests for certain domains and return custom IPs and forward other requests to our ISPs DNS servers.

We were thinking about using either PowerDNS or MyDNS because they support MySQL out of the box and we need to change the list of domains to filter quite often.

Best Answer

As Ed Fries suggests, the DNS solutions is:

Set up a (or two) DNS server(s) with either forwarding or the root hints zone, which will make it return non-authoritative answers for all domains on the internet.
Set your clients to use this/these DNS servers, by configuring your DHCP server appropriately (or manually on the client).
Optionally block 53/udp outbound on your firewall, to prevent clients on your network from using another DNS server.
Create an authoritative zone on your DNS server for the domains you want to block, and optionally create A/CNAME etc records for them. Doing this will prevent your DNS server from forwarding the request on and getting the real answer, as it thinks it is authoritative.

There are ways around this:

If you don't do step 3, clients can simply use a public DNS server (eg, Google provides public DNS)
People can use a VPN/proxy to get past it
For some sites, they'll be able to type in the IP (if they know it) and get to the site anyways, no configuration changes needed.

There are other ways to block sites (block the IP at the firewall, for example) that may be a bit more reliable/less work, though for almost everything there is a way around it if your users are savvy enough.

Best Answer

Related Solutions

Group Policy – Specify DNS Servers in DHCP Environment: Good or Bad?

DNS failover in a two datacenter scenario

Related Topic