DNS Security Question
Jim Reid
jim at mpn.cp.philips.com
Tue Sep 21 00:10:48 UTC 1999
>>>>> "Dave" == Dave Feldt <davef at flatland.dimensional.com> writes:
Dave> This may be a silly question, but is there anyway to stop a
Dave> nameserver from resolving certain domains? For
Dave> example... many users in my company are hitting
Dave> sextracker.com and sexhound.com etc., and I'm wondering if
Dave> there is any possible way to make our DNS server ignore
Dave> requests for these domains.
You could configure your name servers to be as masters or slaves for
your own private copies of these zones. You then have two choices.
If you're running BIND8 you can apply access control lists to these
zones. Queries for names in these zones from unapproved IP addresses
will be rejected and logged.
A better - some might say sneakier - approach is to populate these
private copies of these domains with "useful" data. For instance you
could make www.unspeakable-filth.com or whatever point at a special
local web server. This could log whoever accesses the web site if you
want to take disciplinary action against the people who are making
what I assume is not job-related use of the network. You could also
make that local web site display suitable warnings to deter this
unwanted web browsing.
These controls can be bypassed by using some other name server to
resolve the names of porn sites. Or your users can get to them via
URLs that have the IP addresses of the real web servers. How long do
you want to play this zero-sum game?
More information about the bind-users
mailing list