No announcement yet.

DNS Advise

  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS Advise

    I am trying to help a friend with their DNS configuration and I was hoping someone here might be able to advise as to the best way to prevent access to the internet for some of their computers.

    Their server is a Windows 2003 Active Directory with DNS set to "company.internal". The DNS is set to forward to the ISP for outside requests. My understanding is that client computers need to have the DNS address of the domain controller in it's TCP/IP DNS field in order to login. However, if the current configuration remains wouldn't any computer that logs in be able to access the internet?

    How can internet access be restricted for some of the client computers? My friend can assign static addresses to the clients if it can be restricted by ip address.

    Is there any way for them to authenticate without using DNS?

    I am completely stumped, any assistance would be greatly appreciated.

    Many, many thanks in advance.

  • #2
    Re: DNS Advise

    You could set DHCP to NOT issue a Default Gateway thus no internet access.

    Don't think you can do this by groups of people though.

    Probably the easiest option would be to implement some sort of proxy server and base access via that.

    I know one of our sites uses a proxy and does it that way.


    • #3
      Re: DNS Advise

      Thanks for your response. I was thinking.. If they had two servers, both DCs and had the first server setup as Primary DNS server and forward outside requests. Then have the second server as a Secondary DNS which does not forward. For those clients that need internet access point them to the first server for authentication. For those with restricted access, point to the secondary server for authentication.

      Will this work?


      • #4
        Re: DNS Advise

        depending on how many computers you have and how many users you want to deny access too, you could always set reservations for the users not allowed access which has a false default gateway. I implemented a similar method before, I set the global scope in dhcp to have a false gateway and setup reservations with the correct gateway to have internet access. Of course this is not fool proof, if the user finds out the gateway it can be manually set and give the user internet access. Still it is a short term fix until something more solid can be done.


        • #5
          Re: DNS Advise

          There is no DHCP server. Prior to Server 2003 my friend had them setup as static addresses and the ones with no access had no DNS or GATEWAY addresses. They indicated the static address will remain.

          Are you saying all you need to do is not provide a gateway address to the client and there is no internet access?

          That would be ideal however, if the DNS for the client is pointing to a DNS server that forwards requests, wouldn't internet access be gained simply by logging in? Is my thinking wrong on this? I haven't been able to test it for him. I would prefer to recommend to him just to elliminate the GATEWAY address if that would work.

          Thanks again.


          • #6
            Re: DNS Advise

            DNS is essential to AD. If the clients don't have a DNS server then they ain't going to run right on the network. Remove the Default Gateway and they have no idea how to access the net.
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2


            • #7
              Re: DNS Advise

              I would put the computers that do not require Internet access into an OU and configure a group policy to disable Internet Explorer.

              If your network has multiple subnets and you do not have a default gateway configured on your client, the client will not gain access from one subnet to another subnet !

              Third party software like I-gear from Symantec setup via a proxy server would provide a valid authentication through to the Internet or not if required as another option.

              Hope this is of some help to you.