Results 1 to 9 of 9

Thread: Prevent DNS Forwarding for Some

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    123

    Question Prevent DNS Forwarding for Some

    Is it possible to prevent DNS Forwarding for some workstations? We currently have a Windows 2003 AD environment with a Websense Integration. Currently all workstations have internet access which is restricted by Websense. We have some workstations that are currently being blocked but are capable of resolving internet addresses. I would like to prevent those workstations from forwarding their DNS request to the ISP and at the same time still use our internal dns servers for internal services 0nly.

  2. #2
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    The quickest way would be to put an ACL in your firewall only allowing outbound DNS (UDP 53) for your DNS servers, anything else will be blocked.

    Although if you have internal DNS servers, all your workstations would usually be configured to send DNS requests to the internal DNS servers and then these DNS servers would request the information from the root DNS servers or a DNS server further down the hierarchy- you may want to check your DHCP scope settings or your Static settings if you are not using DHCP.
    Last edited by Nokia; February 4th, 2007 at 08:09 PM.

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    Nice thing to know about your first solution. But yep I have internal DNS servers that recieves all DNS requests for all machines. In my DHCP scope, I have internal dns settings passing to clients. The reason I am seeking a solution is because we have employees bypassing our websense using different types of http/https proxies. I wonder if i could create ACL at a network level at the port to drop/block all internet traffic for that workstation. I would be a lot of work, but it would pay off at the end. Any thoughts on this?

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    What firewall do you have?
    If you have a decent firewall you can very easily deny or allow any traffic you wish from leaving your network via ACL's.

    If you don't want a workstation with the IP of say 192.168.1.1 from having internet connectivity you can block all TCP port 80 from that IP address. Of course the way around this would be for the user to change their IP address, if they don't have local admin rights then they can't do this - if they do, you can still restrict access to the networking comonenets via Group Policy (you have an AD domain, right?) - you can even restrict someone logging on as a local admin from changing the IP address, via GPO.

    If you find out what poxies they are using Websense can be told to block it - there are 100's of lists with all common proxies and their IP addresses, which can be uploaded to websense to block access to them.

    You can also lock down IE in every way imaginable via group policy - prevent them automaticaly entering a poxy configuration in the Internet settings.
    Last edited by Nokia; February 4th, 2007 at 08:59 PM.

  5. #5
    Member
    Join Date
    Dec 2006
    Posts
    33
    I would just block all proxy ports at the firewall/router, and just leave port 80 outbound available. It would limit the choices of proxies greatly.

    Also, shouldn't your websense be blocking DNS requests to blocked sites? I'm familiar with websense as a web blocker, but not how it blocks. I would copy/paste all the sites/ips that websense blocks into a table and use that in the same way I'd use a hosts file in windows...

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    We have a Sonicwal Pro 4060 Firewall. Sounds like a great idea to create the ACLs at the Firewall. I need to verify the lease time though with my DHCP server. It would be a mess if machines recieved different IPs at renew time. This would work nice if my network was static. I have a hard time keeping up with Proxy Lists in Websense. There are new Proxies everyday.

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Yeah good point, I forgot to mention that you should be able to set the lease time to unlimited - which obviously just means the same host will get the same IP each time it asks for one.

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    You can also lock down IE in every way imaginable via group policy - prevent them automaticaly entering a poxy configuration in the Internet settings
    Nokia is absolutely correct on that one. You can lock down IE to the point where they can't even use it. The one easy thing to do is this (if you're just looking to lock down a few machines and not apply a network wide GPO)
    -logon to the machine you want to lock down
    -run gpedit.msc
    -Go to Computer Configuration--> Administrative Templates--> Windows Components--> Internet Explorer--> Internet Control Panel
    -Dont expand Internet Control Panel, just highlight it
    -From here, you can disable *everything* from General to the Advanced tabs that most users have access to under Internet Options.

    This may be one way from allowing these specific users to bypass anything. Just a thought. Good Luck.

    **Just be aware that if you do have a network applied GPO, it will override the local GPO settings on the local machine. Working with GPO's can get messy, so take your time.
    Last edited by ShagDevil; February 5th, 2007 at 12:24 AM.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I would look at setting up a proxy. It's a bad idea to let each and every workstation have full Internet access on their own. By forcing the workstations through a proxy you have way more control and logging capabilities. If you turn on NTLM authentication on the proxy you can give Internet access based on a username, authentication would be done in the background. By using a proxy you also limit the extent at which clients have internet access and what they can visit. If a workstation gets infected it cannot easily spread outside of your network because they're not able to access the Internet directly. If you also use a content scanner on the proxy you'll also be able to prevent infections in the first place. Proxy settings can be enforced using a GPO and you will be able to prevent users from modifying the settings themselves. If they do manage to modify the settings they can't go anywhere except through your proxy. Solving your problem entirely and in the process add another layer of security to your network. The more layers the better.
    Last edited by SirDice; February 5th, 2007 at 02:26 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. External Email Forwarding Fails
    By AngelicKnight in forum Miscellaneous Security Discussions
    Replies: 15
    Last Post: February 22nd, 2006, 03:52 AM
  2. Patches to prevent to prevent classloader jar, etc.
    By hesperus in forum AntiVirus Discussions
    Replies: 2
    Last Post: May 25th, 2005, 02:52 AM
  3. How to prevent yourself from the Blaster Worm and how to remove it!
    By ali1 in forum The Security Tutorials Forum
    Replies: 28
    Last Post: December 11th, 2003, 10:47 PM
  4. SSH Port forwarding
    By d0ppelg@nger in forum Cryptography, Steganography, etc.
    Replies: 2
    Last Post: March 10th, 2003, 04:47 PM
  5. Getting Around IP forwarding...
    By Liquid_Darkness in forum Newbie Security Questions
    Replies: 4
    Last Post: October 20th, 2002, 12:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •