Theoretically, yes.
IF they use ONLY your DNS server.
IF they ONLY use domain names to connect to things.
Like everyone else has said, this only stops the more ignorant (meant in the kindest sense) computer users.
For those with the slightest clue about how the Internet works, it would be only the slightest of annoyances.
If someone brings in a laptop with the DNS server set to something other than yours, it won't stop them. If someone connects using the IP address, rather than the domain name, this won't stop them.
To stop any user with even a small clue, like others have said, you need to start packet filtering or something more intrusive. Which isn't too hard, depending on the gear you have.
Adam Augustine
Tony Despain wrote:
Adam,
The config you showed me will allow me to restrict my private network to use only the "example.com" domain correct? so when they try to go to yahoo.com or anything other than example.com it will deny them am i right? Thanks again.
From: Adam Augustine <[EMAIL PROTECTED]> Reply-To: BYU Unix Users Group <[EMAIL PROTECTED]> To: BYU Unix Users Group <[EMAIL PROTECTED]> Subject: Re: [uug] Restrict web access via dns Date: Thu, 29 Apr 2004 22:08:26 -0600
Tony Despain wrote:
Does anyone know if it is possible to restrict a private network from accessing websites on the internet by configuring bind 9 a certain way? I only want to allow them the ability to query one domain. If so how do you do it, i know you can do it with firewalls but I am wondering if it is possible with dns. Thanks in advance.
Tony
In named.conf comment out the part that looks similar to this:
//zone "." { // type hint; // file "root.cache"; //};
Then for the zone you want to allow, put this (if you can slave the zone:
zone "alloweddomain.com" { type slave; masters { 192.168.0.1; }; file "slave/alloweddomain.com.zone"; };
Replacing 192.168.0.1 with the IP address of the primary DNS server for the zone you want to allow. If you already control the DNS server for the domain you allow, then:
zone "alloweddomain.com" { type master; file "alloweddomain.com.zone"; allow-update { none; }; };
If neither of these are options, then per-zone forwarding or creating stub zones are the way to go. I don't remember how off the top of my head, but I have done it before, so I could look it up easily (if I weren't so darn lazy :-).
Ok maybe not, a quick google and we have:
zone "alloweddomain.com" { type forward; forward first; forwarders { 192.168.0.1; }; };
This is probably the best of the solutions (just make sure you comment out the "." zone in named.conf) if you have no control over the domain you want to allow.
Adam Augustine
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
_________________________________________________________________ Check out the coupons and bargains on MSN Offers! http://youroffers.msn.com
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
