Tips for building a root server?

Simon Waters Simon at wretched.demon.co.uk
Mon Oct 1 16:55:58 UTC 2001


Mike wrote:
> 
> So I'm looking into building a root dns server for my company and am fishing
> for some good tips and advice.  The reason for this is so that my company
> can restrict internet surfing to only those sites it deems necessary for
> work.

My tip is don't do it for the reason given.

An internal root is really aimed at people whose local systems
have no direct access to the Internet.

> For now, if a web site becomes a problem we
> just stop all traffic to that site by using the firewall, but the company
> thinks it would be better to only allow certain sites, and not have to worry
> about not allowing a whole bunch of sites that continue to grow and change.

The Internet is huge and whitelisting it will take eternity, and
given the state of DNS management tools I would suggest DNS is
probably the worst possible tool to try it with.

Plenty of firewalls/web proxies out there allow you to track
website usage by employee, allow access to certain catergories
of information only (Based on third party white lists), and vary
these restrictions by time of day. Some will even check the HTML
for nasty constructs, or ActiveX components (much the same thing
in some peoples eyes).

My experience of these products is that they are okay, but I
think this is one of those areas where it is far better to just
"log" who goes where, and if excessive inappropriate activity is
going on, get management to have a word.

Most companies don't allow employees to read novels on company
time. But you don't enforce this by searching employees for
books everytime they enter the building do you? That said if
someone was writing a book on say DNS, and decided they wanted
quotations from Lewis Carroll at the start of each chapter (That
kind of thing happens apparently), your novel search policy<sic>
just got in the way of doing business.

	Simon

PS: I'm not advocating against blocking ActiveX components in
web proxies, that sounds like a useful option to me. I wonder if
MS Proxy does it yet?

-- 
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework


More information about the bind-users mailing list