Block some users with Bind9

Wed Jul 25 22:36:25 UTC 2012

On 7/25/2012 3:26 PM, Emiliano Vazquez wrote:
>> well on a dns level will be nice to block it but if the user will have
>> access to some dns anywhere in the world in any way he can just use some
>> basic browser tricks to make this dns setup stupid.
>>
>> i think it's better to use a proxy\fw to block these sites.
>> you can use let say squid and use some nice and good acls to do all your
>> the tricks you need.
>>
>> Regards,
>> Eliezer
>>
> My idea was block all DNS except the bind9 who has this filter. blocking
> port 53 will we enought?
>
> I'm using squid but in transparent mode.
>
> I'm reading about this. If i find the solution i will post. Have a lot
> of work to read!
>
> Best regards.
>
>
>
>
block udp dst port 53 is good but you must to take in account that maybe 
some of your services\servers needs this access for whatever reason 
there is.

if you are using squid in transparent mode it's good enough for basic 
http blocking.
to block HTTPS you will need to force your users to use the proxy server 
using some WPAD + DHCP \ Group policy.

either of them can lead to some problems so you can test it first and 
see if it's for you.
there is an option of SSL-BUMP in squid that can take a lot off  but you 
must install the local root-ca on all the clients computers.

i suggest for you to first implement the basic allow\deny acls in squid 
for the intercepted traffic and later see what is the effect.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il