February 4th, 2007, 04:17 PM
Prevent DNS Forwarding for Some
Is it possible to prevent DNS Forwarding for some workstations? We currently have a Windows 2003 AD environment with a Websense Integration. Currently all workstations have internet access which is restricted by Websense. We have some workstations that are currently being blocked but are capable of resolving internet addresses. I would like to prevent those workstations from forwarding their DNS request to the ISP and at the same time still use our internal dns servers for internal services 0nly.
February 4th, 2007, 07:06 PM
The quickest way would be to put an ACL in your firewall only allowing outbound DNS (UDP 53) for your DNS servers, anything else will be blocked.
Although if you have internal DNS servers, all your workstations would usually be configured to send DNS requests to the internal DNS servers and then these DNS servers would request the information from the root DNS servers or a DNS server further down the hierarchy- you may want to check your DHCP scope settings or your Static settings if you are not using DHCP.
Last edited by Nokia; February 4th, 2007 at 07:09 PM.
February 4th, 2007, 07:30 PM
Nice thing to know about your first solution. But yep I have internal DNS servers that recieves all DNS requests for all machines. In my DHCP scope, I have internal dns settings passing to clients. The reason I am seeking a solution is because we have employees bypassing our websense using different types of http/https proxies. I wonder if i could create ACL at a network level at the port to drop/block all internet traffic for that workstation. I would be a lot of work, but it would pay off at the end. Any thoughts on this?
February 4th, 2007, 07:54 PM
What firewall do you have?
If you have a decent firewall you can very easily deny or allow any traffic you wish from leaving your network via ACL's.
If you don't want a workstation with the IP of say 192.168.1.1 from having internet connectivity you can block all TCP port 80 from that IP address. Of course the way around this would be for the user to change their IP address, if they don't have local admin rights then they can't do this - if they do, you can still restrict access to the networking comonenets via Group Policy (you have an AD domain, right?) - you can even restrict someone logging on as a local admin from changing the IP address, via GPO.
If you find out what poxies they are using Websense can be told to block it - there are 100's of lists with all common proxies and their IP addresses, which can be uploaded to websense to block access to them.
You can also lock down IE in every way imaginable via group policy - prevent them automaticaly entering a poxy configuration in the Internet settings.
Last edited by Nokia; February 4th, 2007 at 07:59 PM.
February 4th, 2007, 07:55 PM
I would just block all proxy ports at the firewall/router, and just leave port 80 outbound available. It would limit the choices of proxies greatly.
Also, shouldn't your websense be blocking DNS requests to blocked sites? I'm familiar with websense as a web blocker, but not how it blocks. I would copy/paste all the sites/ips that websense blocks into a table and use that in the same way I'd use a hosts file in windows...
February 4th, 2007, 08:04 PM
We have a Sonicwal Pro 4060 Firewall. Sounds like a great idea to create the ACLs at the Firewall. I need to verify the lease time though with my DHCP server. It would be a mess if machines recieved different IPs at renew time. This would work nice if my network was static. I have a hard time keeping up with Proxy Lists in Websense. There are new Proxies everyday.
February 4th, 2007, 09:28 PM
Yeah good point, I forgot to mention that you should be able to set the lease time to unlimited - which obviously just means the same host will get the same IP each time it asks for one.
February 4th, 2007, 11:22 PM
Nokia is absolutely correct on that one. You can lock down IE to the point where they can't even use it. The one easy thing to do is this (if you're just looking to lock down a few machines and not apply a network wide GPO)
You can also lock down IE in every way imaginable via group policy - prevent them automaticaly entering a poxy configuration in the Internet settings
-logon to the machine you want to lock down
-Go to Computer Configuration--> Administrative Templates--> Windows Components--> Internet Explorer--> Internet Control Panel
-Dont expand Internet Control Panel, just highlight it
-From here, you can disable *everything* from General to the Advanced tabs that most users have access to under Internet Options.
This may be one way from allowing these specific users to bypass anything. Just a thought. Good Luck.
**Just be aware that if you do have a network applied GPO, it will override the local GPO settings on the local machine. Working with GPO's can get messy, so take your time.
Last edited by ShagDevil; February 4th, 2007 at 11:24 PM.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
February 5th, 2007, 01:15 PM
I would look at setting up a proxy. It's a bad idea to let each and every workstation have full Internet access on their own. By forcing the workstations through a proxy you have way more control and logging capabilities. If you turn on NTLM authentication on the proxy you can give Internet access based on a username, authentication would be done in the background. By using a proxy you also limit the extent at which clients have internet access and what they can visit. If a workstation gets infected it cannot easily spread outside of your network because they're not able to access the Internet directly. If you also use a content scanner on the proxy you'll also be able to prevent infections in the first place. Proxy settings can be enforced using a GPO and you will be able to prevent users from modifying the settings themselves. If they do manage to modify the settings they can't go anywhere except through your proxy. Solving your problem entirely and in the process add another layer of security to your network. The more layers the better.
Last edited by SirDice; February 5th, 2007 at 01:26 PM.
Experience is something you don't get until just after you need it.
By AngelicKnight in forum Miscellaneous Security Discussions
Last Post: February 22nd, 2006, 02:52 AM
By hesperus in forum AntiVirus Discussions
Last Post: May 25th, 2005, 02:52 AM
By ali1 in forum The Security Tutorials Forum
Last Post: December 11th, 2003, 09:47 PM
By d0ppelg@nger in forum Cryptography, Steganography, etc.
Last Post: March 10th, 2003, 03:47 PM
By Liquid_Darkness in forum Newbie Security Questions
Last Post: October 20th, 2002, 12:23 AM