Windows Server 2016 (DNS server on machine, effecting host machine)(Website blocking on domain users)

[Ericarthurc]

Hey so I have a Windows Server 2016 and a Ubuntu server running a dns server on it. So I am trying to use it to block clients on the domain from access almost all websites. So on the windows server's dns settings I added the ubuntu server as a "Forwarder". And this actually works; any client connected to the domain (which is grabbing dns from the windows server...well thats how that works haha) is effected by the dns server. The issue I am having is the host machine (the windows server) is also effected by the DNS (because its its own dns). I have never been able to resolve this issue. The issue is the dns server blocks everything except like 10 websites; the domain runs on laptops that school children use. I know this kinda stuff is extremely complicated and my Frankenstein way of doing it is probably not the best. Just wondering if theres a way to have the dns server only effect domain clients not the host?

 

And maybe some has a solution to my problem for the whole thing. Its a small non profit business that has a private school of about 100 children running along with it; same network, same building. The school wants everything blocked but like 10 websites, I used chrome supervisor accounts in the past to solve this problem, but Google is getting rid of them and I knew it was never a permanent or good solution; its just worked perfectly for the need. I thought of firewall blocking the sites, but that would effect all clients. And we have about 100 business local ips and about 60 school local ips. I thought about maybe doing a different vlan for the school and blocking through the firewall for that vlan (or even a totally different network)(We have a NSA 2600 Sonciwall firewall that allows for up to 8 different lans); which I am not apposed to; but then the domain server would have to go on the other vlan; again not a big deal, just thoughts. 

 

What I am really asking is has anyone ever seen a good dns or website blocking solution for a limited amount of users on the network that doesn't effect all the other clients?? I have been looking for over a year now for maybe a software based program I can install on the laptops for website blocking, but can't find anything good. I am also aware of host file blocking, which is a possibility. I really don't want to rip up the current network and split vlans and networks, trying to make that the last solution if no other solution comes.

 

Sorry that was a lot; but thank you in advance for any help and advice.

[Jay Deah]

thats a terrible way of doing it

 

is your machine a domain controller? if so you cant fix it.

 

if its not a DC then simply set the DNS settings of the windows server to use 8.8.8.8 as a primary DNS server, it doesnt need to use localhost for DNS

[Ericarthurc]

43 minutes ago, Jay Deah said:

thats a terrible way of doing it

 

is your machine a domain controller? if so you cant fix it.

 

if its not a DC then simply set the DNS settings of the windows server to use 8.8.8.8 as a primary DNS server, it doesnt need to use localhost for DNS

Haha I know; the server is a domain controller. I am looking into setting up the school laptops on a ip range (like 192.168.1.45-100) and blocking on a firewall level just for those ips. 

[ibejohn]

Couple different ways I can think of.. (I'm a dev and not an admin so perhaps and admin will chime in with a better solution )

 

Blocking at the firewall level is an option, however, if the sites in-scope are using SSL and do not suport SNI/TLS, then the "host" header will be encrypted as well and you will not be able to use that in a rule.

 

A quick and dirty way would be to modify the hostfile on each machine... you can push it to the machines using GPP ( at computer configuration level ) vs touching each machine individually.

 

Setting up multiple DNS servers and using DHCP to handout the blocked DNS server is another option, however would take the most configuration and planning/design....

 

Good luck.

 

 

[Blake]

1 hour ago, ibejohn said:

A quick and dirty way would be to modify the hostfile on each machine...

Don't do this. DNS was created for a reason. Managing 100+ Hostfiles is practically a full time job.

 

On 2/20/2018 at 7:46 AM, Ericarthurc said:

What I am really asking is has anyone ever seen a good dns or website blocking solution for a limited amount of users on the network that doesn't effect all the other clients??

DNS blocking doesn't really work. It's how IPs blocked TPB in Australia recently. Most people used google dns, and where not aware tpb was blocked.

 

look into a dedicated appliance designed for this. Cyberhound, Barracuda, Sophos UTM, and a few others will do what you want. Just make 2 AD security groups, 1 for unfiltered and 1 for filtered access. the device will use ldap to sync accounts out of AD so you don't have to manage it once you have your lists created.

 

Some of these appliances can be configured to act as a CA for all systems downstream of it, so most "secure" traffic can be analysed by the admin / restrictions can still apply (think of it as an authorized man in the middle attack on yourself).

[Jarsky]

Ideally you want to have a proxy that controls what sites people can get to, rather than using DNS. Something like Squid Proxy is really easy to use, and has LDAP authentication which you can then control which OU's/DN's are effected and to what extent. 

 

At our work we use websense appliances, and a few of our customers use webmarshal. 

We do DNS Sinkholing but really thats more of a security precaution than using it to control general website access. 

[Ericarthurc]

Thank you guys so much for all the ideas and help! Really appreciate it!

[Ericarthurc]

Just wanted to thank everyone for the help! I ended up making a squid proxy server with DansGuardian for content filtering then updated the school computers group policy with the proxy settings and it works perfectly! Thank you guys! Helped me solve a pretty big issue