dns / authorative / child domains

[barry]

quick scenario overview:

My company have about 150 remote stores around the company, connecting to
Head Office via VPN. They are in a child domain of the domain in HO.
Obviously looking to their own DNS servers to find DCs etc. Now, we'd like a
way to manage what sites they can visit on the interweb. Currently the best
(ie cheapest...) is to not allow them to find the IP for domains, however,
the DNS of the child domain forwards anythnig upwards to the parent.



So my theory is as follows:



If we set the child domain dns servers to be authorative for "." Then they'll
never forward any requests outwards and we can simplay add in zones for
sites that we want them to visit. But, then they wont know how to talk to
the parent domain unless I make it authorative for that domain too, which is
ok. But as it's a child domain, is it going to cause any problems with it
being authorative for its parent?



Is the above even possible?? Am I talking rubbish?? Any better ideas??



Cheers for any info

barry

 

[Deji Akomolafe]

Let's see.... the problem you are trying to solve is: PREVENT users from
going to unapproved websites.

Tool to use: A Proxy server.

My Mantra: ALWAYS use the right tool for the job at hand.

HTH

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Jonathan de Boyne Pollard]

b> Now, we'd like a way to manage what sites they can visit on the
interweb.

.... and so you set up a restricted proxy HTTP server and made its use
mandatory within your organization, immediately realizing that the DNS
was not the tool for this job at all.

 

[barry]

b> Now, we'd like a way to manage what sites they can visit on the
interweb.

... and so you set up a restricted proxy HTTP server and made its use
mandatory within your organization, immediately realizing that the DNS was
not the tool for this job at all.

I know DNS isnt the tool for the job, but if you only have a hammer,
everything is a nail.

So, two "don't knows" anyone got an answer?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

quick scenario overview:

My company have about 150 remote stores around the
company, connecting to Head Office via VPN. They are in a
child domain of the domain in HO. Obviously looking to
their own DNS servers to find DCs etc. Now, we'd like a
way to manage what sites they can visit on the interweb.
Currently the best (ie cheapest...) is to not allow them
to find the IP for domains, however, the DNS of the child
domain forwards anythnig upwards to the parent.



So my theory is as follows:



If we set the child domain dns servers to be authorative
for "." Then they'll never forward any requests outwards
and we can simplay add in zones for sites that we want
them to visit. But, then they wont know how to talk to
the parent domain unless I make it authorative for that
domain too, which is ok. But as it's a child domain, is
it going to cause any problems with it being authorative
for its parent?



Is the above even possible?? Am I talking rubbish?? Any
better ideas??

I second the motion DNS isn't the tool for this, it is too easy to
circumvent.

If you only have a few sites you want to allow access to, you can create a
policy to use a bogus proxy server address. Then add the site you want to
allow access to the Bypass proxy list. Of course you'll have to block access
to the connections page in your GPO.. This one they cannot get around, I use
this to force my kids to use the proxy so that everything is scanned for
viruses.