do-not-forward list?

  • Thread starter Thread starter Stacie
  • Start date Start date
S

Stacie

I know a novell dns has a 'do-not-forward' list but I have one ms w2k dns
server and can't find a 'do-not-forward' list, is this option not available?
Thanks
 
I think "selective forwarding" is the closest you can get to what you are
asking. I think. But it is only available on W2K3 DNS.

HTH

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
Stacie said:
I know a novell dns has a 'do-not-forward' list but I have one ms w2k dns
server and can't find a 'do-not-forward' list, is this option not available?
Thanks
Click to expand...

You can fake such by adding "empty zones" or
dead addresses (pointing to places like 127.0.0.1)
but I am NOT recommending you do that.

What problem are you actually trying to solve?

We may have a way to deal with that outside of the
feature you were expecting to use.
 
I have 4 w2k terminal servers, one of which got hit hard w/ spyware and
pop-ups (took 2 days to clean it up). On my w2k dns server I want to be
able to block my forwarding list from these piece of crap websites to
prevent any future issues! TIA!
 
You create the zones in your dns server and don't create any record under
the zone. If the zone is on your DNS server, your DNS will not forward any
request for any record in that zone. For example, if the malicious site is
www.fubar.foo, you will create a zone called fubar.foo and you are done. You
will of course need to restart dns client services on your computers, just
in case they have already cached the records.

Typically, I use my ISA server for this blocking purposes.

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
Deji Akomolafe said:
You create the zones in your dns server and don't create any record under
the zone. If the zone is on your DNS server, your DNS will not forward any
request for any record in that zone. For example, if the malicious site is
www.fubar.foo, you will create a zone called fubar.foo and you are done. You
will of course need to restart dns client services on your computers, just
in case they have already cached the records.

Typically, I use my ISA server for this blocking purposes.
Click to expand...

I agree with Deji (that's what I meant above by
"empty zones" or "dead server host records".

Also note, this isn't real security if the users are
(smart??? enough to be) able to enter the IP
addresses.

You might want to use a product like ISA (as Deji
suggests) or even Privoxy or a DIFFERENT forwarder
(caching only) DNS, or Prixoxy which is free on
SourceForge.net.

I use Win2003 DNS internally but forward to a
"caching only" BIND server in which I load a
70,000 entry DNS "dead list."

Privoxy is also part of my solution -- it can "defang"
scripts and still allow much of a page to display so
that (even unknown) places can be made safe.

That is, certain scripting or file types are only allowed
at explicitly save sites.

This is similar to the IE "zone" idea but with much more
granular and sophistated choices that can be controlled
from a central location for all machings.

Privoxy and ISA are NOT mutually exclusive choices.
 
Back
Top