DNS and limited internet access

[Guest]

I have what I think is an unusual request from my IT Manager. We want a standalone 2000 server with DNS only. We want users to have the ability to access the internet (from workgroups) via the DNS server, but only to sites they are requesting as work-related (no recreational browsing). I beleive the DNS server should point to itself as the main resource, but am not sure where the records would lie. It looks like a HOST file type answer is in the works, but I would hope 2000 would be a little more sophisticated than that
Any ideas? Thanks
David

 

[Stuart Graham]

Buy ISA Server

 

[Sartan Dragonbane]

Some IT managers are sick, and twisted, and create projects so people only
fail...
Get out while you can.
Tell him that what he asks is an unreasonable request and begin looking for
a new job.

I have what I think is an unusual request from my IT Manager. We want a

standalone 2000 server with DNS only. We want users to have the ability to
access the internet (from workgroups) via the DNS server, but only to sites
they are requesting as work-related (no recreational browsing). I beleive
the DNS server should point to itself as the main resource, but am not sure
where the records would lie. It looks like a HOST file type answer is in the
works, but I would hope 2000 would be a little more sophisticated than that.

 

[Richard G. Harper]

DNS is not the answer. You need ISA Server or a program that can block or
allow web sites by name.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

I have what I think is an unusual request from my IT Manager. We want a

standalone 2000 server with DNS only. We want users to have the ability to
access the internet (from workgroups) via the DNS server, but only to sites
they are requesting as work-related (no recreational browsing). I beleive
the DNS server should point to itself as the main resource, but am not sure
where the records would lie. It looks like a HOST file type answer is in the
works, but I would hope 2000 would be a little more sophisticated than that.

 

[David]

Thanks, everybody, for your responses. I will try to convince him with the
Trail software that it's worth the money. The more I read, the more sense
ISA makes as far as the one-stop solution.
Regards,
David

I have what I think is an unusual request from my IT Manager. We want a

standalone 2000 server with DNS only. We want users to have the ability to
access the internet (from workgroups) via the DNS server, but only to sites
they are requesting as work-related (no recreational browsing). I beleive
the DNS server should point to itself as the main resource, but am not sure
where the records would lie. It looks like a HOST file type answer is in the
works, but I would hope 2000 would be a little more sophisticated than that.

 

[Steven L Umbach]

A dns server is not the answer as users will be able to enter IP addresses in the
address bar to access sites that way. The best solution is a firewall solution and
there are several options possibly even your existing firewall if it can control
outbound access adequately. Ipsec filtering policies can also be implemented on a
W2K/Xp Pro computer that could block all access outbound to port 80/443 except the IP
addresses of authorized sites. Ipsec policies can be created and then imported to
other computers in an environment where you do not have a domain where you can
implement such policy via a GPO. --- Steve

http://www.securityfocus.com/infocus/1559 -- good primer on ipsec filtering policy.

I have what I think is an unusual request from my IT Manager. We want a standalone

2000 server with DNS only. We want users to have the ability to access the internet
(from workgroups) via the DNS server, but only to sites they are requesting as
work-related (no recreational browsing). I beleive the DNS server should point to
itself as the main resource, but am not sure where the records would lie. It looks
like a HOST file type answer is in the works, but I would hope 2000 would be a little
more sophisticated than that.

 

[Phillip Windell]

Be careful with the "one-stop solution". ISA is a great product but there
is no such thing as a true "one-stop solution". Even as good as ISA is, it
is not going to do "...everything an IT manager could ever think of...".
Even ISA has its limits,...that's why there are a lot of third-party
"add-on" componenets for ISA. So don't get too "carried away", or worse,
let your IT manager get too "carried away" with ideas. Just be realistic.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com