How to block particulat dns ip using NAT

April 28, 2011 at 00:24:03
Specs: Win-2003 R2
I have configured win-2003 server as NAT server. For internet access we are using ip provided by vendor which have restrictions for unwanted and pornographic sites. Still users can get access to any site by changing their DNS ip. How to block all the DNS ip except the one provided by our vendor.

See More: How to block particulat dns ip using NAT

Report •

#1
April 28, 2011 at 00:49:48
Add a firewall rule to only allow DNS traffic to that one server. I.e. block all outbound traffic on port 53 except to the designated address(es).

Also, make it part of the IT usage policy that such abuse will be dealt with severely.


Report •

#2
April 28, 2011 at 07:49:30
Blocking dns to only one server can bite you later if that server changes or goes off line.

Better to set a GPO that prevents users from changing network settings.
This assumes you were savvy enough not to make users admins on their machines.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#3
April 28, 2011 at 07:56:36
That's true. But I'd suspect that if an ISP's DNS server turns up its toes you would have issues other than just DNS.

TBH, I don't think that technology is the way to attack this sort of misuse. You can't beat a good data usage policy which is enforced rigorously.


Report •

Related Solutions

#4
April 28, 2011 at 22:31:21
Thanks for your answer but still it do not fulfill my requirement. Win server 2003 which I am using as NAT is having 2 NICs in which I have terminated Public IP and Private IP. Public IP is configured with Open DNS to prevent users browsing vulnerable sites. Now when users changes their DNS ip other thas Open DNS's IP than they are able to browse any site. I want users to use only Open DNS ip. How do I block Other DNS IP to users. Pls help.

Report •

#5
April 29, 2011 at 01:26:02
You've already been given two answers, both of which will do what you want, plus a suggestion that you tighten up your data usage policy. What more do you want?

Report •

#6
April 29, 2011 at 07:55:43
rajccct if you can figure out how to compile a list of all dns servers in the world [they constantly change] then you can list those ips to deny.

You would be better off with a group policy that denied network changes on the client machines.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#7
May 2, 2011 at 02:45:53
Thanks wanderer! I do understand that DNS changes frequently. Actually I have not created any group policy in my NAT server. Would you mind telling what is the command to block particular DNS ip in win-2003 server. e.g. I want to block DNS IP 172.16.0.1 in my network because users are able to bypass open DNS by using this ip. Pls help.

Report •

#8
May 2, 2011 at 08:04:58
rajccct what good would blocking a ip on the server do you? Internet access isn't thru the server.
If you can't block access to network settings on the pcs, you can't block access to sites.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Ask Question