Block some users with Bind9
eliezer at ngtech.co.il
Wed Jul 25 22:36:25 UTC 2012
On 7/25/2012 3:26 PM, Emiliano Vazquez wrote:
>> well on a dns level will be nice to block it but if the user will have
>> access to some dns anywhere in the world in any way he can just use some
>> basic browser tricks to make this dns setup stupid.
>> i think it's better to use a proxy\fw to block these sites.
>> you can use let say squid and use some nice and good acls to do all your
>> the tricks you need.
> My idea was block all DNS except the bind9 who has this filter. blocking
> port 53 will we enought?
> I'm using squid but in transparent mode.
> I'm reading about this. If i find the solution i will post. Have a lot
> of work to read!
> Best regards.
block udp dst port 53 is good but you must to take in account that maybe
some of your services\servers needs this access for whatever reason
if you are using squid in transparent mode it's good enough for basic
to block HTTPS you will need to force your users to use the proxy server
using some WPAD + DHCP \ Group policy.
either of them can lead to some problems so you can test it first and
see if it's for you.
there is an option of SSL-BUMP in squid that can take a lot off but you
must install the local root-ca on all the clients computers.
i suggest for you to first implement the basic allow\deny acls in squid
for the intercepted traffic and later see what is the effect.
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
More information about the bind-users