DNS server to force clients to a single web page

  • Thread starter Thread starter Mike
  • Start date Start date
M

Mike

Is there a way in MS DNS or a product that will allow me to force my clients
to go to a certain web page no matter what url they type?

We have a null vlan setup and when students get a virus we move them there.
It gives them no access to the rest of our network. I would like to provide
them with antivirus software there. It would be nice if I could force their
web browser to take them there automatically.

Is this possible?

Thanks
Mike
 
That's not a feature of DNS Server.

Maybe you can use "net send" to inform them.


--
following is just my thought

In Routing and Remote Access,
redirect all incoming packets whose "source addr. is 1 of the infected IP
AND dest. port is 80" to an IIS Server.
Change the web site's error 404 message and default page on that IIS Server.

Thus whenever they want view any web pages, they will see the information
you provided.
 
There are some modifications.

Eric Tsai said:
That's not a feature of DNS Server.

Maybe you can use "net send" to inform them.
Click to expand...
In RRAS on the default gateway (here means if the gateway is a Windows
Server)
(Or admin. console of hardware router) of those client,
 
I guess that should really say any host name = xxx.xxx.xxx.xxx i want it
to go to a specific ip address no matter what web page they type in.

This would be setup on a "quarentined network"
 
In
Mike said:
Is there anything that I can just set that says any host name =
www.mypage.com ? That's all I want.
Click to expand...

Do they logon to a Win2k domain?

If they do, then you can force that page as the default Home page in
internet explorer by adding it to the default domain policy.
 
No. These would be student computers in dorm rooms that could be any os.
When we detect they have a virus we move their mac to a null vlan until they
get it cleaned. There are no services in that vlan and they can not talk to
any other devices on our network. If i can setup a basic dhcp and dns
server there that would redirect every web page to an antivirus page I
create they could clean their own machines without having to drag it down to
the helpdesk.
 
You can do it with a combination of a DNS server or Proxy server and a web
server.
Perhaps a Proxy web server can replace the DNS server.

Try Privoxy -- a free, open source Proxy server ( http://sourceforge.net )
-- it allows you to block or allow anything from nothing to one particular
URL.
It can redirect blocked traffic to other URLs etc.

Privoxy can handle far more complex task than this and it can chain to other
Proxy Servers as well (e.g., ISA)
 
Is there a way in MS DNS or a product that will allow me to force my clients
to go to a certain web page no matter what url they type?
Click to expand...

That's not a DNS function. Some firewalls can do this redirection.

Jeff
 
If, as you say, the clients are in a secluded network, and you have the
freedom to setup a DNS server that would serve only those clients, you could
setup a server with the root zone on it, add a wildcard A record to point to
the IP address of your choice, and that would do the trick. Much like the
Verisign sitefinder service.

Keep in mind that this is obviously dangerous because you'd have broken
actual name resolution completely through this server -- You'll have to
think of how the clients, once they are patched, get "real" DNS servers back
in their list, and so on.
 
In
Rahul Indurkar said:
If, as you say, the clients are in a secluded network, and you have
the freedom to setup a DNS server that would serve only those
clients, you could setup a server with the root zone on it, add a
wildcard A record to point to the IP address of your choice, and that
would do the trick. Much like the Verisign sitefinder service.
Click to expand...

I did this messing around with my students to teach them about the Root
zone. I was sending them to wherever I wanted to.

:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
M> We have a null vlan setup and when students get a virus we move
M> them there. It gives them no access to the rest of our network.
M> I would like to provide them with antivirus software there. It
M> would be nice if I could force their web browser to take them
M> there automatically.

This is a trick that has been commonly employed recently. (My ISP even
employs it. Any customer whose machines trigger Microsoft Worm recognition
alarms at a honeypot server has its IP access automatically curtailed.) See
discussions on the NANOG mailing list.

Provide a DNS server on that network that has a "." "zone" (not root hints)
with a wildcard "A" resource record in it. For best results, this DNS server
should listen on all IP addresses, although you can probably get away with it
listening merely on the IP addresses on which you normally provide your proxy
DNS service and on the IP addresses used by all of the various root server
organisations (ICANN, ORSC, ORSN, PacificRoot, /et al./).

Be aware that catch-all servers are a lot of work - more work than most people
think. Internet is not just HTTP, misconceptions to the contrary
notwithstanding. At the very least, you'll have to deal with, on your
catch-all server, quite a large number of other popular TCP services in a
manner that doesn't cause data loss or an invasion of privacy. This is not a
trivial exercise.

If you aren't either prepared or able to do this properly, I strongly suggest
not doing it at all.
 
Microsoft Internet Security and Acceleration server will do this for you. For more information please reference http://www.microsoft.com/isaserver.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Back
Top